I see you got a bunch of answers already and hopefully have solved your problem. However, I wanted to share with everyone a problem we had. We had a site that appended CFID and CFTOKEN on an older site that was using CF5 or 6 (I honestly can't remember at this point). A user had the google toolbar installed that reported links they visited back to Google. Well, the link it reported included CFID and CFTOKEN. Typically, this would timeout before the googlebot started crawling but in this instance it happened before the timeout. What screwed up royally was that the developer did NOT use buttons for deleting records but instead used links. My understanding in talking with some Google reps is that the google-bot does not click submit buttons, but it does follow all links. Needless to say, the google-bot deleted all of the records where that was the case in this app. So, as an added precaution, use <input type="button"> or <input type="image"> but do not use <a href="..."> on any links that you wouldn't want a bot or something to follow. Obviously, a robots.txt should also be added to limit what you want bots to crawl but I figured I'd share that frustrating story to possibly help others.
John -----Original Message----- From: Les Mizzell [mailto:lesm...@bellsouth.net] Sent: Thursday, February 19, 2009 3:10 PM To: cf-talk Subject: Googlebot got me good last night... This happened on a small site with a user admin system that's password protected. Seems Googlebot managed to get into the admin system last night, started crawling admin pages, and ended up munging half the database: 1. Clicking "archive" or "mark inactive" buttons on admin area index pages 2. In a few cases, actually seemed to SUBMIT a form, updating data. I'm still scratching my head over how Googlebot got into the admin system to start with. It looks legit from the logs. The IP address, user-agent and everything else checks out. Luckily, this isn't a mission-critical site, and database backups are done nightly, but now it's got me worried for other sites. Googlebot has *never* caused any problems with password protected admin systems before, my "robots.txt" file usually excludes the admin folder (and you can be sure I'm checking the ones I'm not sure about right now) and the login stuff I use I thought was pretty standard. My login code is below. Tell me I'm a complete idiot. So, 1. Anybody else have this problem recently? 2. I'm an idiot I guess, how *should* I be doing my login systems? (One site on CF8, others still CF7) 4. If you're doing anything like I am, then maybe we're *all* idiots at this point and need to redo our login pages to use whatever somebody much smarter than I says to do in #2 above. --------------------------------------------- Application.cfm page for the admin folder: --------------------------------------------- <!--- Define that this user is logged out by default ---> <CFPARAM NAME="session.allowin" DEFAULT="false"> <!--- Define this user id to zero by default ---> <CFPARAM NAME="session.user_id" DEFAULT="0"> <!--- If the variable "session.allowin" does not equal true, send user to the login page ---> <cfif session.allowin neq "true"> <cfif ListLast(CGI.SCRIPT_NAME, "/") EQ "../admin_login.cfm"> <cfelseif ListLast(CGI.SCRIPT_NAME, "/") EQ "login_process.cfm"> <cfelse> <!--- Not logged in, alert user and redirect ---> <script> <!---alert("You must login to access this area!");---> self.location="../admin_login.cfm"; </script> </cfif> </cfif> --------------------------------------------- login_process page: --------------------------------------------- **QUERY TO CHECK USER/PASS HERE <cfif Verify.RecordCount> <!--- logged in ... set the value of the session.allowin value ---> <cfset session.allowin = "True" /> <cfset session.user_id = Verify.id /> <script> self.location="idx_admin.cfm"; </script> <cfelse> <!--- not logged in, redirect to the login page ---> <script> alert("Your credentials could not be verified, please try again!!!"); self.location="../admin_login.cfm"; </script> </cfif> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319691 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
