Usually machines behind a firewall will have non-routable IP address (ex. any ip address starting with 192.168.*.*)
When any user on our trusted network access a resource on the external network (such as an external website), their IP address is masqueraded by the external WAN interface. So the end result is that _all_ of the users coming from our trusted/internal network appear to have the same IP address. The same problem arises when the uses have a proxy server between them and the intranet. In general the IP address is an unreliable way to uniquely identify users. </rob> -----Original Message----- From: Casey C Cook [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 12:43 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token If you pass a URL with a CFID and token in it to a different user, the new user will "hi-jack" that session information. We are currently experiencing the same issue as Claudia. Our current solution is to put "addtoken = no" (or something of that nature) from the cflocation tags. The other thought is to check to ensure IP's match via the suggestion Jeffry gave, but he raised an interesting point, the IP's may not always match behind a firewall. Why would the IP's not always match? Anyone want to give a firewalls 101 crash paragraph? Thanks, CC Jeffry Houser <jeff To: CF-Talk <[EMAIL PROTECTED]> @farcryfly.co cc: m> Subject: RE: sharing sessions due to url.cfid and url.token 05/21/02 10:02 AM Please respond to cf-talk If the session wasn't being passed in the URL, then there would be no problem with someone stealing a session through URL sharing. I would look into using CGI Variables. Check if the CGI variable (I forget which one, HTTP_Referrer maybe?) to see where the user came from. Granted if someone fakes it, this will not prevent anything. At 10:44 AM 5/21/2002 -0400, you wrote: >About the only thing I can think of is to add some code to your App.cfm file >which checks for the existence of CFID and CFTOKEN as URL variables and if >found, just redirect to the same page minus the session info on the url >line. Of course this assumes you don't ever pass the session info in the >url. > ></rob> > >-----Original Message----- >From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, May 21, 2002 10:19 AM >To: CF-Talk >Subject: sharing sessions due to url.cfid and url.token > > >I'm trying to think of a way not to allow people to inadvertedly share a >session by sending each other a url with their cfid and cftoken in it. Of >course we can just make sure that those are not passed as url parameters, >but I'm thinking if there's a way to check if this is a session initiated by >someone else. >Do you guys have any ideas? > >Thanks > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
