Hi Dave: First of all thank you for your suggestions.
I ahve couple of questions here. I have one app that is pointing to registry and one pointing to datasource. I know that data source is the correct way of handling. I notice the app where the admin is set to datasource, and when i look in the tables I see no values. Does that mean my app is not storing in DB (nto to sound like adumb question)... Your Answer: ============ >If your application is specifically looking for URL.CFID and URL.CFTOKEN, >you would need to rewrite your code if those variables didn't exist. You >could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal >to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. MY Question ============ what will this do by setting url.cfid=client.cfid. If I do this and a client still emails the entire link with these id/token in the URL, will I still have the same issue... And what happens if a user tries to maliciously change the id or token value by one digit (i know there are so many permutations between the 2, but it can be happen. Will this approach you mentioned eliminate any of those security issues). Your Question ============== >If you didn't specifically disable cookies, they probably are being set, in >which case you can (usually) disable setting them in the URL. Check to see >if cookies are being set. My Question: ============= Where do i need to check if cookies have been disabled.. If they were, can I just turn them on and then set the url.addtoken=no. Will this work to eliminate the tokens from the URL string.. Asad >> I am having a huge problem right now, I have an application >> where I am using CFID/Cftoken as part of URL parameter. They >> are currently being maintained in the registry. > >As an aside, you really don't want to store client data in the registry. Use >a database instead. > >> What is the underlying cause of it? > >CFID and CFTOKEN are used to uniquely identify a client. If two clients use >the same values, they will appear to be the same client from your >application's perspective. > >> If I change the session management parameters though the CF >> Administrator to use cookies, is there other major work (code >> re-write) I need to do, since the application has been >> developed using cfids/cftokens in the URL. > >There is no session management parameter in the CF Administrator to let you >use cookies instead of URL parameters. Within the CF Administrator, you can >specify whether session management is enabled, what the default and maximum >timeouts are, and in CFMX, whether you use J2EE or CF session tokens. > >If you're talking about client management, there is an option to use cookies >to store the actual client data. This is somewhat independent of whether you >use cookies or URL parameters as client tokens. > >If your application is specifically looking for URL.CFID and URL.CFTOKEN, >you would need to rewrite your code if those variables didn't exist. You >could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal >to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. > >> OR >> >> Can I set the addtoken=no in the cflocation and prevent the >> tokens from being append to URL.. If yes, are there any >> major repercussions. Will this work. > >If you didn't specifically disable cookies, they probably are being set, in >which case you can (usually) disable setting them in the URL. Check to see >if cookies are being set. > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ > >Fig Leaf Software provides the highest caliber vendor-authorized >instruction at our training centers in Washington DC, Atlanta, >Chicago, Baltimore, Northern Virginia, or on-site at your location. >Visit http://training.figleaf.com/ for more information! > >This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279067 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
