RE: sharing sessions due to url.cfid and url.token

[Casey C Cook]

If you pass a URL with a CFID and token in it to a different user, the new
user will "hi-jack" that session information. We are currently experiencing
the same issue as Claudia. Our current solution is to put "addtoken = no"
(or something of that nature) from the cflocation tags. The other thought
is to check to ensure IP's match via the suggestion Jeffry gave, but he
raised an interesting point, the IP's may not always match behind a
firewall.  Why would the IP's not always match?
Anyone want to give a firewalls 101 crash paragraph?


Thanks,
CC


                                                                                       
                            
                    Jeffry Houser                                                      
                            
                    <jeff                To:     CF-Talk <[EMAIL PROTECTED]>   
                            
                    @farcryfly.co        cc:                                           
                            
                    m>                   Subject:     RE: sharing sessions due to 
url.cfid and url.token           
                                                                                       
                            
                    05/21/02                                                           
                            
                    10:02 AM                                                           
                            
                    Please                                                             
                            
                    respond to                                                         
                            
                    cf-talk                                                            
                            
                                                                                       
                            
                                                                                       
                            




  If the session wasn't being passed in the URL, then there would be no
problem with someone stealing a session through URL sharing.

  I would look into using CGI Variables.  Check if the CGI variable (I
forget which one, HTTP_Referrer maybe?) to see where the user came
from.  Granted if someone fakes it, this will not prevent anything.


At 10:44 AM 5/21/2002 -0400, you wrote:
>About the only thing I can think of is to add some code to your App.cfm
file
>which checks for the existence of CFID and CFTOKEN as URL variables and if
>found, just redirect to the same page minus the session info on the url
>line. Of course this assumes you don't ever pass the session info in the
>url.
>
></rob>
>
>-----Original Message-----
>From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, May 21, 2002 10:19 AM
>To: CF-Talk
>Subject: sharing sessions due to url.cfid and url.token
>
>
>I'm trying to think of a way not to allow people to inadvertedly share a
>session by sending each other a url with their cfid and cftoken in it. Of
>course we can just make sure that those are not passed as url parameters,
>but I'm thinking if there's a way to check if this is a session initiated
by
>someone else.
>Do you guys have any ideas?
>
>Thanks
>
>

______________________________________________________________________
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists