Right now, we have 2 different sites having the problem. 1 site is not
using cookies but is using client variables which are stored in a
database and then the CFID and CFTOKEN variables are just passed in the
URL. If I change the setting in the CF Administrator to store client
variables in cookies, will that store them on the user's machine? Even
if that is the case, the second site having the problem is using cookies
that only exist while the browser is open and they're getting mixed up
logins there too. I'm not sure about the whole ghosting thing, but this
is repeatable enough to where it doesn't seem like it's a random
occurance where CF is generating a random number and that number is just
getting crossed. I initally tried making it use the UUID but because
the client vars are being stored in a DB, the DB fields weren't large
enough to hold the new value and it was choking all of the apps, so I
turned it off temporarily.
Also, as far as the ghosting goes, I'm sure that if the machines were
ghosted that the site wasn't visited during the ghosting process. Now,
maybe whatever method CF uses to create the CFID and CFTOKEN is based on
something that is a match on both ghosted machines, maybe that's doing
it.
We talked with the network team and they're saying that it seems like a
proxy caching program, so they are going to set a rule on the proxy
server not to cache for the domains that we give them. I'll let
everyone know if that works. Let me know if you have any more input.
Thanks.
John
-----Original Message-----
From: Adrocknaphobia [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 28, 2004 3:29 PM
To: CF-Talk
Subject: Re: Session swapping
Good point Al, the computers we saw this on were ghosted as well.
Maybe switching to UUID just cleaned out the old values.
-Adam
On Tue, 28 Sep 2004 15:27:46 -0400, Adrocknaphobia
<[EMAIL PROTECTED]> wrote:
> I ran into a similar issue with one of our intranets here. If you
> aren't already use UUID for cftoken. We were only seeing this issue in
> teh training labs when a bunch of people were logged in on the same
> part of the network and UUID seemed to prevent the SESSION steals.
>
> -Adam
>
>
>
>
> ----- Original Message -----
> From: Burns, John D <[EMAIL PROTECTED]>
> Date: Tue, 28 Sep 2004 13:56:25 -0400
> Subject: Session swapping
> To: CF-Talk <[EMAIL PROTECTED]>
>
> We have an internet application running on CFMX hosted locally. Our
> clients (on a Navy base) are running machines that are restricted by
> NMCI (Navy-Marine Corps Intranet) and they're using a NAT Proxy Server
> that all of the users are behind. They just recently got moved to
> this new system and we noticed an odd problem with this application.
> Two users sitting at separate machines will pull up the website and go
> to the login page. Once logged in, they will suddenly both be logged
> in as the same person and the CFID and CFTOKEN in the URL are the
> same. We're trying to figure out what's causing this problem and how
to fix it.
> We're meeting with the network team in charge of the NAT Proxy but
> we're all expecting an "it's not our problem" response. Can anyone
> give more info on how CF assigns CFID and CFTOKEN and how we might be
> able to code against this? Any users with experience with NMCI issues
> would be especially helpful. Thanks for your time.
>
> John Burns
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
