I'm willing to bet that this is due to a proxy server. Are all the users coming from the same place (e.g. same company, ISP?). We had this problem a few years ago.
On Wed, 26 Jan 2005 10:34:32 +0000, Bert Dawson <[EMAIL PROTECTED]> wrote: > I've seen this occurring when a PC which already has the cfid and > cftoken has been used as an image to clone more PC's, all of which > ended up having identical cookies. > Is this just happening on certain machines? > > Also, i've seen it happen due to sloppy coding in an application > scoped cfc, which resulted in everyone pointing to the same session. > But if you're on CF5 it wouldn't be that. > > Cheers > Bert > > On Wed, 26 Jan 2005 09:06:03 -0000, Kevin Roche > <[EMAIL PROTECTED]> wrote: > > Hi, > > > > In the past I have seen the following acuse this problem: > > > > 1/ users who sent each other links to pages with CFID and CFTOKEN in the > > link. > > > > 2/ Search engine spiders site and picks up a CFID and CFTOKEN. > > > > 3/ Firewall caches the CFID and CFTOKEN (This was many years ago and I think > > most are fixed now) > > > > 4/ Missing CFLOCK > > > > Hope that helps > > Kevin > > > > > > -----Original Message----- > > From: Ian Buzer [mailto:[EMAIL PROTECTED] > > Sent: 26 January 2005 07:31 > > To: CF-Talk > > Subject: Re: Sessions being show to wrong users? > > > > > > I'd back up Martin's theory of it being search engines indexing the site > > with the CFID/CFTOKEN in the URL. If two people follow that link within the > > session time out they will share the session. > > > > I now only use CFID/CFTOKEN in the URL from behind a log in page, or after > > someone has added an item to the basket etc ... all things a search engine > > can't do. > > > > It's always occurred to me that this is a massive security hole in the way > > that ColdFusion manages sessions. Having said that, most application servers > > use a similar method of maintaining session when cookies are not enabled. > > > > Ian > > > > >What is the URL that these people are coming in on ? Meaning, has Google > > >cached one of your pages which has mypage.cfm?CFID=xxx&cftoken=xxx in > > >the URL. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:191776 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
