Yes. But it's not just a matter of search and replace and voila. Let's say that means you have to modify 100+ files, code created by people that doesn't even work in this project anymore. Using source control software, that means checking them all out and then checking them all in - and then keeping track of each file's path/name and version number. Then you request those files to be moved to the testing environment - and people will be pulling hairs and screaming... Of course they believe they have to test each single functionality touched by these files before moving them to production. Meanwhile, the swapping sessions keep happening... *sighs* I should have learned to play the guitar.
-----Original Message----- From: Rob Baxter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 2:40 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token Opps, you're right. I forgot to add <cfcookie name="CFID" expires="now"> <cfcookie name="CFTOKEN" expires="now"> before the meta refresh. I was under the impression that you had already added addtoken="no" attributes to your cflocations. Otherwise you are correct, this might kill some valid sessions. However, if I were you, I'd really focus my efforts on cleaning up all the cflocation calls (I know what a pain it is, I've had to do it also. Thank goodness for Extended Replace!). But, it's an easy (if mindnumbing) fix which is pretty hard to screw up as opposed to messing around with the login logic (which has a higher potential for disaster I would think). Just my $.02 </rob> -----Original Message----- From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 2:18 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token Yes, but by the time your Application.cfm runs this, the cfid and cftoken are already assumed as the session info. They're also already written to cookie.cfid and cookie.cftoken. I could also force a new session everytime I get url.cfid/url.cftoken, but to do that I would have to make sure all the modified files (with cflocation addtoken="no") made their way from development (through QA) to production. That's not a small number of files and that's not an easy task. -----Original Message----- From: Rob Baxter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 1:32 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token claudia, I played around with this code in my Application.cfm file. It seems to work ok. The idea is to check for and invalidate any session information passed along on the url line. You can probably spruce it up by actually removing the CFID and CFTOKEN arguments with an REReplace or something, but I'm lousy at regular expressions so I just hacked this up quick. Also, you'll likely want to loop over the NewQs query string and Url Encode the right hand side of each expression. <cfif IsDefined("Url.CFID") And IsDefined("Url.CFTOKEN")> <cfset NewQS = ReplaceNoCase(Cgi.Query_String, "CFID", "CFID_ignore")> <cfset NewQS = ReplaceNoCase(NewQS, "CFTOKEN", "CFTOKEN_ignore")> <cfoutput> <META HTTP-EQUIV="Refresh" CONTENT="0; URL=#Cgi.Script_Name#?#NewQs#"> </cfoutput> </cfif> </rob> -----Original Message----- From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 1:01 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token You can have multiple users showing the same IP address if they're behind the same firewall. I've already added addtoken="No" to the cflocations, but I just wanted to know if there was a way of checking. I thought about the cgi.http_referrer and clearing the session structure and expiring the cookies if the referrer is not the expected, but sometimes the http_referrer is blank and that doesn't mean the user is pasting a url on the browser. Considering that all access is done after user login, I guess I can create my own cookie when the user logs in, containing cfid and cftoken, and always check that against the current cfid and cftoken. If that's not the same, there wasn't a login in the current machine or session is expired - force new login. -----Original Message----- From: Casey C Cook [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 12:43 PM To: CF-Talk Subject: RE: sharing sessions due to url.cfid and url.token If you pass a URL with a CFID and token in it to a different user, the new user will "hi-jack" that session information. We are currently experiencing the same issue as Claudia. Our current solution is to put "addtoken = no" (or something of that nature) from the cflocation tags. The other thought is to check to ensure IP's match via the suggestion Jeffry gave, but he raised an interesting point, the IP's may not always match behind a firewall. Why would the IP's not always match? Anyone want to give a firewalls 101 crash paragraph? Thanks, CC Jeffry Houser <jeff To: CF-Talk <[EMAIL PROTECTED]> @farcryfly.co cc: m> Subject: RE: sharing sessions due to url.cfid and url.token 05/21/02 10:02 AM Please respond to cf-talk If the session wasn't being passed in the URL, then there would be no problem with someone stealing a session through URL sharing. I would look into using CGI Variables. Check if the CGI variable (I forget which one, HTTP_Referrer maybe?) to see where the user came from. Granted if someone fakes it, this will not prevent anything. At 10:44 AM 5/21/2002 -0400, you wrote: >About the only thing I can think of is to add some code to your App.cfm file >which checks for the existence of CFID and CFTOKEN as URL variables and if >found, just redirect to the same page minus the session info on the url >line. Of course this assumes you don't ever pass the session info in the >url. > ></rob> > >-----Original Message----- >From: Hoag, Claudia (LNG) [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, May 21, 2002 10:19 AM >To: CF-Talk >Subject: sharing sessions due to url.cfid and url.token > > >I'm trying to think of a way not to allow people to inadvertedly share a >session by sending each other a url with their cfid and cftoken in it. Of >course we can just make sure that those are not passed as url parameters, >but I'm thinking if there's a way to check if this is a session initiated by >someone else. >Do you guys have any ideas? > >Thanks > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
