I've seen this occurring when a PC which already has the cfid and cftoken has been used as an image to clone more PC's, all of which ended up having identical cookies. Is this just happening on certain machines?
Also, i've seen it happen due to sloppy coding in an application scoped cfc, which resulted in everyone pointing to the same session. But if you're on CF5 it wouldn't be that. Cheers Bert On Wed, 26 Jan 2005 09:06:03 -0000, Kevin Roche <[EMAIL PROTECTED]> wrote: > Hi, > > In the past I have seen the following acuse this problem: > > 1/ users who sent each other links to pages with CFID and CFTOKEN in the > link. > > 2/ Search engine spiders site and picks up a CFID and CFTOKEN. > > 3/ Firewall caches the CFID and CFTOKEN (This was many years ago and I think > most are fixed now) > > 4/ Missing CFLOCK > > Hope that helps > Kevin > > > -----Original Message----- > From: Ian Buzer [mailto:[EMAIL PROTECTED] > Sent: 26 January 2005 07:31 > To: CF-Talk > Subject: Re: Sessions being show to wrong users? > > > I'd back up Martin's theory of it being search engines indexing the site > with the CFID/CFTOKEN in the URL. If two people follow that link within the > session time out they will share the session. > > I now only use CFID/CFTOKEN in the URL from behind a log in page, or after > someone has added an item to the basket etc ... all things a search engine > can't do. > > It's always occurred to me that this is a massive security hole in the way > that ColdFusion manages sessions. Having said that, most application servers > use a similar method of maintaining session when cookies are not enabled. > > Ian > > >What is the URL that these people are coming in on ? Meaning, has Google > >cached one of your pages which has mypage.cfm?CFID=xxx&cftoken=xxx in > >the URL. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:191772 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
