So, in theory the code below should set up the application and set client
cookies which will expire when the browser closes, which will give me a
per-session cookie:
<cfif NOT IsDefined('application.applicationName')>
<cfapplication name="appname" clientmanagement="Yes"
setclientcookies="No">
<cfcookie name="CFID" value="#client.cfid#">
<cfcookie name="CFTOKEN" value="#client.cftoken#">
</cfif>
And this is the XFB standard right?
But how do you explain why on ocassions whilst 'logged in' to my application
- suddently without warning my login details became someone elses? I have
looked on the Allaire support forums for advice and there was talk of
upgrading to service pack 2 (Coldfusion 4.5.1), which I have done. Does
anyone have any idea why I would suddently inherit someone elses client
sesssion? This is a rather worrying problem as in the user database there
are obviously administrators with access permissions to update and add
content displayed on the website, and it would be a small disaster if an
unknown user were to inherit this client session and cause havoc on the
website.
Any ideas welcome.
Luke B.
-----Original Message-----
From: Erik Voldengen [mailto:[EMAIL PROTECTED]]
Sent: 31 July 2001 20:03
To: Fusebox
Subject: RE: client variable hijack
Luke,
I'm kinda busy right now but maybe later I could read your
post more completely. However, in that CF_Application tag,
don't forget to set the param that keeps it from setting
cookies. You're setting regular cookies if you omit this
param, then you overwrite them in your CFIF statement. I
don't know if that has any odd results, so do it like this:
<cfapplication name= clientmanagement="yes" setclientcookies="no">
<cfif NOT Isdefined("cookie.cfid")>
<Cfcookie name="cfid" value="#client.cfid#">
<Cfcookie name="cftoken" value="#client.cftoken#">
</cfif>
-Erik
> -----Original Message-----
> From: Luke Bartholomew [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 31, 2001 10:36 AM
> To: Fusebox
> Subject: client variable hijack
>
>
> to anyone who can help,
>
> I have recently launched an rather complex application developed using the
> XFB specification and have a serious problem with the security.
> The security
> system is based upon the XFB outlined by Hal Helms, using the user_groups
> database table to allow administrators to be set up. The entire
> system only
> relies upon client variables and non-persistent cookies to maintain state
> management - no session, application or server variables are used. The
> cfapplication tag is placed at the top of each index.cfm file as below:
>
> <cfif NOT IsDefined( 'application.applicationName' )>
> <cfapplication name="appname" clientmanagement="Yes">
> </cfif>
>
> The index.cfm file follows the XFB specification - and cfinclude's the
> app_globals.cfm file.
>
> Inside the app_globals.cfm file is the following script to kill session
> cookies if browser is closed:
>
> <cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
> <cfset cfid_local = Cookie.CFID>
> <cfset cftoken_local = Cookie.CFTOKEN>
> <cfcookie name="CFID" value="#cfid_local#">
> <cfcookie name="CFTOKEN" value="#cftoken_local#">
> </cfif>
>
> And the client.urltoken is set to the request scope:
>
> <cfscript>
> // set urltoken
> request.urltoken=client.urltoken;
> </cfscript>
>
> Then the request.urltoken variable is passed at every request to
> the server
> - either on the end of the url string or in a form (I have looked
> into this
> on the allaire website which suggests that this is not a very
> secure way of
> state management).
>
> The problem is that once I log into the application occassionally
> I inherit
> someone elses client variables which is obviously very undesirable.
>
> The login script is nothing unusual and basically validates information
> posted from a form against information held in the database - and
> then sets
> the necessary client variables for email, cliend id and last
> login. There is
> also a login script which runs through Flash, but is it basically the same
> as the other.
>
> Thanks
>
> Luke B.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
