Is this the result of not CFlocking when setting client vars?
-----Original Message-----
From: Luke Bartholomew [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 31, 2001 1:36 PM
To: Fusebox
Subject: client variable hijack
to anyone who can help,
I have recently launched an rather complex application developed using
the
XFB specification and have a serious problem with the security. The
security
system is based upon the XFB outlined by Hal Helms, using the
user_groups
database table to allow administrators to be set up. The entire system
only
relies upon client variables and non-persistent cookies to maintain
state
management - no session, application or server variables are used. The
cfapplication tag is placed at the top of each index.cfm file as below:
<cfif NOT IsDefined( 'application.applicationName' )>
<cfapplication name="appname" clientmanagement="Yes">
</cfif>
The index.cfm file follows the XFB specification - and cfinclude's the
app_globals.cfm file.
Inside the app_globals.cfm file is the following script to kill session
cookies if browser is closed:
<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfset cfid_local = Cookie.CFID>
<cfset cftoken_local = Cookie.CFTOKEN>
<cfcookie name="CFID" value="#cfid_local#">
<cfcookie name="CFTOKEN" value="#cftoken_local#">
</cfif>
And the client.urltoken is set to the request scope:
<cfscript>
// set urltoken
request.urltoken=client.urltoken;
</cfscript>
Then the request.urltoken variable is passed at every request to the
server
- either on the end of the url string or in a form (I have looked into
this
on the allaire website which suggests that this is not a very secure way
of
state management).
The problem is that once I log into the application occassionally I
inherit
someone elses client variables which is obviously very undesirable.
The login script is nothing unusual and basically validates information
posted from a form against information held in the database - and then
sets
the necessary client variables for email, cliend id and last login.
There is
also a login script which runs through Flash, but is it basically the
same
as the other.
Thanks
Luke B.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
