Yes, but by the time your Application.cfm runs this, the cfid and cftoken are already assumed as the session info. They're also already written to cookie.cfid and cookie.cftoken. I could also force a new session everytime I get url.cfid/url.cftoken, but to do that I would have to make sure all the modified files (with cflocation addtoken="no") made their way from development (through QA) to production. That's not a small number of files and that's not an easy task.
-----Original Message----- From: Rob Baxter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 1:32 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token claudia, I played around with this code in my Application.cfm file. It seems to work ok. The idea is to check for and invalidate any session information passed along on the url line. You can probably spruce it up by actually removing the CFID and CFTOKEN arguments with an REReplace or something, but I'm lousy at regular expressions so I just hacked this up quick. Also, you'll likely want to loop over the NewQs query string and Url Encode the right hand side of each expression. <cfif IsDefined("Url.CFID") And IsDefined("Url.CFTOKEN")> <cfset NewQS = ReplaceNoCase(Cgi.Query_String, "CFID", "CFID_ignore")> <cfset NewQS = ReplaceNoCase(NewQS, "CFTOKEN", "CFTOKEN_ignore")> <cfoutput> <META HTTP-EQUIV="Refresh" CONTENT="0; URL=#Cgi.Script_Name#?#NewQs#"> </cfoutput> </cfif> </rob> -----Original Message----- From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 1:01 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token You can have multiple users showing the same IP address if they're behind the same firewall. I've already added addtoken="No" to the cflocations, but I just wanted to know if there was a way of checking. I thought about the cgi.http_referrer and clearing the session structure and expiring the cookies if the referrer is not the expected, but sometimes the http_referrer is blank and that doesn't mean the user is pasting a url on the browser. Considering that all access is done after user login, I guess I can create my own cookie when the user logs in, containing cfid and cftoken, and always check that against the current cfid and cftoken. If that's not the same, there wasn't a login in the current machine or session is expired - force new login. -----Original Message----- From: Casey C Cook [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 12:43 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token If you pass a URL with a CFID and token in it to a different user, the new user will "hi-jack" that session information. We are currently experiencing the same issue as Claudia. Our current solution is to put "addtoken = no" (or something of that nature) from the cflocation tags. The other thought is to check to ensure IP's match via the suggestion Jeffry gave, but he raised an interesting point, the IP's may not always match behind a firewall. Why would the IP's not always match? Anyone want to give a firewalls 101 crash paragraph? Thanks, CC Jeffry Houser <jeff To: CF-Talk <[EMAIL PROTECTED]> @farcryfly.co cc: m> Subject: RE: sharing sessions due to url.cfid and url.token 05/21/02 10:02 AM Please respond to cf-talk If the session wasn't being passed in the URL, then there would be no problem with someone stealing a session through URL sharing. I would look into using CGI Variables. Check if the CGI variable (I forget which one, HTTP_Referrer maybe?) to see where the user came from. Granted if someone fakes it, this will not prevent anything. At 10:44 AM 5/21/2002 -0400, you wrote: >About the only thing I can think of is to add some code to your App.cfm file >which checks for the existence of CFID and CFTOKEN as URL variables and if >found, just redirect to the same page minus the session info on the url >line. Of course this assumes you don't ever pass the session info in the >url. > ></rob> > >-----Original Message----- >From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, May 21, 2002 10:19 AM >To: CF-Talk >Subject: sharing sessions due to url.cfid and url.token > > >I'm trying to think of a way not to allow people to inadvertedly share a >session by sending each other a url with their cfid and cftoken in it. Of >course we can just make sure that those are not passed as url parameters, >but I'm thinking if there's a way to check if this is a session initiated by >someone else. >Do you guys have any ideas? > >Thanks > > ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
