Have you by chance accidentally somewhere hardcoded a URL token into your
application? We had a user copy a url to paste somewhere else in our
managed content system, and he copied the CFID & CFTOKEN bit! Was throwing
us for awhile trying to figure out what was going on....
-Bill
brainbox
----- Original Message -----
From: "Scott Weikert" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, June 28, 2001 3:37 PM
Subject: Session Hijacking, even more...
> This is getting WAY strange.
>
> I've inserted some extra fields into a database table that is used to
track
> user progress through this application. I've found that not only are
people
> hijacking sessions, but the ID/Token values as well - I've got multiple
> people in the app at once that are sporting the same ID/Token pair.
>
> The creepy thing is, I'm passing the ID/Token pair in the URL for each
page
> refresh.... so how, pray tell, would these be changing?
>
> I'm doing <a href="index.cfm?CFID=#CFID#&CFTOKEN=#CFTOKEN#">blah</a>
> basically. Is this flawed? Should I be using #URL.CFID# etc.?
>
> --Scott
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
