The IIS servers are logging cookie contents of visitors, which is
where I found out that people were arriving on the server using blank
tokens. I am certain that the server is seeing blank cfid and cftoken
values because I can cfdump the values and I see that they are blank.
I also used the coldfusion.runtime.SessionTracker to dump all the
known sessions on the server and I can see blank tokens.

Yes, I have tried different computers, different browsers, different
IP addresses, and have replicated the problems in a few different
ColdFusion applications programmed by different programmers. I have
also had this independently verified by other programmers on staff.

This is not a theoretical problem that I have only seen in my test
case. This is a problem being dealt with by a very large client who
brought me in to help investigate what is going on after the IT team
they assembled couldn't figure out what was happening. The client
considers this to be quite serious.

I am surprised that ColdFusion doesn't seem to do any validation of
the cfid or cftoken values. They don't even have to be numbers.

-Mike Chabot

On 9/26/07, JJ Cool <[EMAIL PROTECTED]> wrote:
> Ok, i'm skeptical. Are you absolutely positive that the header request being 
> sent to the web server has the modified CFID and CFTOKEN? Have you used 
> webscarab or a similar proxy to capture requests and modify them? Also, does 
> this occur if you clear the CFID and CFTOKEN, and then hijack the session 
> from a different computer/ip address?
>
> CoolJJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Download the latest ColdFusion 8 utilities including Report Builder,
plug-ins for Eclipse and Dreamweaver updates.
http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289523
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to