claudia,
I played around with this code in my Application.cfm file. It seems to work
ok. The idea is to check for and invalidate any session information passed
along on the url line. You can probably spruce it up by actually removing
the CFID and CFTOKEN arguments with an REReplace or something, but I'm lousy
at regular expressions so I just hacked this up quick. Also, you'll likely
want to loop over the NewQs query string and Url Encode the right hand side
of each expression.
<cfif IsDefined("Url.CFID") And IsDefined("Url.CFTOKEN")>
<cfset NewQS = ReplaceNoCase(Cgi.Query_String, "CFID", "CFID_ignore")>
<cfset NewQS = ReplaceNoCase(NewQS, "CFTOKEN", "CFTOKEN_ignore")>
<cfoutput>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=#Cgi.Script_Name#?#NewQs#">
</cfoutput>
</cfif>
</rob>
-----Original Message-----
From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 21, 2002 1:01 PM
To: CF-Talk
Subject: RE: sharing sessions due to url.cfid and url.token
You can have multiple users showing the same IP address if they're behind
the same firewall.
I've already added addtoken="No" to the cflocations, but I just wanted to
know if there was a way of checking. I thought about the cgi.http_referrer
and clearing the session structure and expiring the cookies if the referrer
is not the expected, but sometimes the http_referrer is blank and that
doesn't mean the user is pasting a url on the browser.
Considering that all access is done after user login, I guess I can create
my own cookie when the user logs in, containing cfid and cftoken, and always
check that against the current cfid and cftoken. If that's not the same,
there wasn't a login in the current machine or session is expired - force
new login.
-----Original Message-----
From: Casey C Cook [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 21, 2002 12:43 PM
To: CF-Talk
Subject: RE: sharing sessions due to url.cfid and url.token
If you pass a URL with a CFID and token in it to a different user, the new
user will "hi-jack" that session information. We are currently experiencing
the same issue as Claudia. Our current solution is to put "addtoken = no"
(or something of that nature) from the cflocation tags. The other thought
is to check to ensure IP's match via the suggestion Jeffry gave, but he
raised an interesting point, the IP's may not always match behind a
firewall. Why would the IP's not always match?
Anyone want to give a firewalls 101 crash paragraph?
Thanks,
CC
Jeffry Houser
<jeff To: CF-Talk
<[EMAIL PROTECTED]>
@farcryfly.co cc:
m> Subject: RE: sharing sessions
due to url.cfid and url.token
05/21/02
10:02 AM
Please
respond to
cf-talk
If the session wasn't being passed in the URL, then there would be no
problem with someone stealing a session through URL sharing.
I would look into using CGI Variables. Check if the CGI variable (I
forget which one, HTTP_Referrer maybe?) to see where the user came
from. Granted if someone fakes it, this will not prevent anything.
At 10:44 AM 5/21/2002 -0400, you wrote:
>About the only thing I can think of is to add some code to your App.cfm
file
>which checks for the existence of CFID and CFTOKEN as URL variables and if
>found, just redirect to the same page minus the session info on the url
>line. Of course this assumes you don't ever pass the session info in the
>url.
>
></rob>
>
>-----Original Message-----
>From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, May 21, 2002 10:19 AM
>To: CF-Talk
>Subject: sharing sessions due to url.cfid and url.token
>
>
>I'm trying to think of a way not to allow people to inadvertedly share a
>session by sending each other a url with their cfid and cftoken in it. Of
>course we can just make sure that those are not passed as url parameters,
>but I'm thinking if there's a way to check if this is a session initiated
by
>someone else.
>Do you guys have any ideas?
>
>Thanks
>
>
______________________________________________________________________
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
