On Sat, Jan 12, 2013 at 9:26 AM, Jim Mixon <[email protected]> wrote:
> set a session variable containing their IP . . . > > Subsequently, whilst they are logged in, every time they load a page, the > session variable is compared to their current IP, to wit: > This is a very bad idea. IP addresses change all the time, even during the middle of a session. > It appears that a google bot somehow hijacks the user session, triggers > the log out . . . . > and the user has to log back in . . . and this can happen more than once > and randomly . . . > > Any ideas??? > Google's crawler probably has thousands of outbound IPs. Each hit is likely to come from a different IP. Some might come from the same IP. There is no way to know which will be true per request. As stated above, this is the reason not to use the visitor's IP in this way. Here's an interesting post from someone on the Adobe engineering team about more effective ways to prevent session hijacking. It's focused on CF10, but some of the concepts would work on CF5 - you'd just have to build them yourself. (or you could upgrade) http://www.shilpikhariwal.com/2012/03/improved-session-management-in.html -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf> | twitter<http://twitter.com/cameronc> | google+ <https://profiles.google.com/u/0/117829379451708140985> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353842 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
