Hijacked Session
anyone heard of this? In order to assist in preventing session hijacking, when a user first hits my website, CF does some configuring and one of the things I do is set a session variable containing their IP . . . CFSET session.mem_ip = #cgi.remote_addr# Subsequently, whilst they are logged in, every time they load a page, the session variable is compared to their current IP, to wit: CFIF session.mem_ip is not #cgi.remote_addr# go to log out . . . /CFIF Herein is the problem . . . . It appears that a google bot somehow hijacks the user session, triggers the log out . . . . and the user has to log back in . . . and this can happen more than once and randomly . . . Any ideas??? PS: Using CF 5 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353839 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hijacked Session
It appears that a google bot somehow hijacks the user session, It is not a good idea to associate the IP to a session. Some providers assign a new IP to each HTTP requst, AOL for example. Google Bot also can request your site from many different IPs. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353840 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Looking for affordable Colocation
Hello, I am looking for 2 to 4 rack-spaces of affordable co-location on the east coast, with decent quality transit. Any suggestions? -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353841 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hijacked Session
On Sat, Jan 12, 2013 at 9:26 AM, Jim Mixon bigjim0...@yahoo.com wrote: set a session variable containing their IP . . . Subsequently, whilst they are logged in, every time they load a page, the session variable is compared to their current IP, to wit: This is a very bad idea. IP addresses change all the time, even during the middle of a session. It appears that a google bot somehow hijacks the user session, triggers the log out . . . . and the user has to log back in . . . and this can happen more than once and randomly . . . Any ideas??? Google's crawler probably has thousands of outbound IPs. Each hit is likely to come from a different IP. Some might come from the same IP. There is no way to know which will be true per request. As stated above, this is the reason not to use the visitor's IP in this way. Here's an interesting post from someone on the Adobe engineering team about more effective ways to prevent session hijacking. It's focused on CF10, but some of the concepts would work on CF5 - you'd just have to build them yourself. (or you could upgrade) http://www.shilpikhariwal.com/2012/03/improved-session-management-in.html -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353842 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Java Advisory
http://www.smh.com.au/it-pro/security-it/experts-urge-pc-users-to-disable-ja va-cite-security-flaw-20130111-2ckog.html Hi folks, I've been hearing a bit about this recommendation by the US government and others to disable or remove java in browsers. Does this have any impact on CF in general? Best, Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353843 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Java Advisory
http://www.smh.com.au/it-pro/security-it/experts-urge-pc-users-to-disable-ja va-cite-security-flaw-20130111-2ckog.html Hi folks, I've been hearing a bit about this recommendation by the US government and others to disable or remove java in browsers. Does this have any impact on CF in general? No. CF does not rely on client-side Java for commonly-used functionality. If you use the CF Administrator's filesystem browser, that requires client-side Java. For example, to select an Access database file when configuring a datasource. There are some CFFORM tags that used Java in earlier versions of CF, but it's unlikely you're using those in your applications. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353844 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Java Advisory
Many thanks for the clarification Dave. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353845 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Looking for affordable Colocation
Edgeweb is by far the best on the east coast IMHO Hostek is very good too. And the give me a little $ to promote them, But they are in the Oklahoma :) http://hostek.com/aff.php?aff=630p=CF Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Jan 12, 2013, at 9:56 AM, Robert Rhodes rrhode...@gmail.com wrote: Hello, I am looking for 2 to 4 rack-spaces of affordable co-location on the east coast, with decent quality transit. Any suggestions? -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353846 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Looking for affordable Colocation
I am looking for 2 to 4 rack-spaces of affordable co-location on the east coast, with decent quality transit. East Coast is a lot of territory. Do you have any more specific requirements? Bandwidth, IP addressing, electrical, firewall, remote hands-on needs? Most data centers I have worked with will ask for a contract for at least half a rack but I know of a few smaller players in the Tampa market who can handle individual servers for co-location. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353847 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm