Hi Ryan, All you need do is run a few lines of code at the top of each page (or even in the application.cfm) to check and see if the cfid and cftoken values passed via the url are in fact the same as the session.cfid and session.cftoken variables.
If different, then relocate to a logout script. something like this would suffice: <cfif url.cfid neq "#session.cfid#" OR url.cftoken neq "#session.token#"> <cflocation url="logout.cfm"> </cfif> You could also add a few other variables in there to compare, such as the loginID of the user, etc. You can even extend the logout.cfm page to include some sort of logging in order to monitor violations of security within your app by recording the violating user's details and time of violaton etc. This way you could apprehend offending users with concrete evidence. HTH, Dave > -----Original Message----- > From: Ryan Edgar [mailto:[EMAIL PROTECTED]] > Sent: 14 November 2001 15:35 > To: CF-Talk > Subject: CFID & CFTOKEN > > > I have two questions that are slightly related: > > 1) I have an application with lots of different user profiles. > If I log in as one user, and a colleague logs in as another user and > changes his CFID and CFTOKEN to be the same as mine (for testing > purposes), he is instantly given full access to my session. > Is there any way I can stop this from happening (for example log them > out if their CFID or TOKEN changes)? > > 2) Does anyone know any JavaScript that will stop a user from clicking > the Close button on their browser, and bring up an alert telling them > they must log out? > > TIA > > Ryan Edgar > Web Applications Developer > BizNet > Head Office > 133-137 Lisburn Road, Belfast > Northern Ireland BT9 7AG > T +44 (0) 28 9022 3224 > F +44 (0) 28 9022 3223 > E [EMAIL PROTECTED] > W biznet-solutions.com > ************************************************************************ > ********************** > If you are not the intended recipient, or person responsible for > delivering it to the intended recipient, you are not authorized to and > must not disclose, copy, distribute or retain this message or any part > of it. > > The opinions / views / comments on this e-mail do not necessarily > reflect any views or policies of biznet > > The recipient should check this email and any attachments for the > presence of viruses. biznet accepts no liability for any damage caused > by any virus transmitted by this email. biznet 2001. > ************************************************************************ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
