Peter, Include some additional information in a cookie about the validity of the current session. (Such as datetime session started.. ip/useragent) Cookies are not stored in bookmarks, as are the cfid and cftoken parameters you mentioned. Hope this helps.
Jared Clinton. NEC Business Solutions. -----Original Message----- From: Peter Tilbrook [mailto:[EMAIL PROTECTED]] Sent: Friday, 1 February 2002 1:47 PM To: CF-Talk Subject: Hijacking of CFID/CFTOKEN variables. Help please :) Hi there! I'm having problems with a "fusebox" application that requires unique identification for each client connected. At the moment it appears that users are able to bookmark the applications full URL including the CFID and CFTOKEN - essentially hijacking the settings assigned to a previous client. Not good. To prevent this occurring what wouyld be the best solution? I've considered this: 1. Embedding the main content of the site in a frame that would prevent a user from bookmarking the site with the CFID/CFTOKEN variables embedded. This would force CF to either identify a revisiting client or assign a new CFID/CFTOKEN value. This would also prevent a user from "changing" the CFID/CFTOKEN values. 2. Somehow dumping the CFID/CFTOKEN and assigning a new one if it already exists. The values are being stored in a datasource. Any other ideas? I need to sort this out by Monday at the earliest. Thanks in advance! Regards, Peter Tilbrook ([EMAIL PROTECTED]) ______________________________________________________________________ Why Share? Dedicated Win 2000 Server � PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
