there's ways to fix that.
Fred T. Sanders
Galveston Island, TX
------------------------------
Having a bad day?
Imagine this...
You are in total seclusion from that hectic place called "The World".
The soothing sound of a gentle waterfall fills the air with a cascading
serenity.
The water is clear.
You can easily make out the face of the person you are holding underwater.
Feeling better?
----- Original Message -----
From: "Allen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, April 15, 2000 11:39 AM
Subject: Re: Am I Missing Something?
> Aren't there some security issues involved in passing the CFID & CFTOKEN
in
> the URL? It's been awhile now, but I recall one of my co-workers playing
> with bookmarking pages, etc. and being able to get in without using the
> username / password. My memory is a bit fuzzy on this one, though.
>
> -Allen
>
> ----- Original Message -----
> From: Byron M <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, April 13, 2000 11:55 PM
> Subject: RE: Am I Missing Something?
>
>
> > Basically that is correct, you could do it with vars stored in a db, but
> you
> > would still have to add some sort of id to the URL.
> >
> > We started to put #session.URLToken# to the end of all URL's this
variable
> > adds cfid=9394&cftoken=85904830 to the URL.
> >
> > I just thought of this. If you have session variables that are
> initialized
> > with each session in say an Application.cfm file and users have cookies
> > turned off then you are initializing session vars for every page hit for
> > that user, and the old ones have to wait to timeout. So in actuality
you
> > will be saving all so precious server resources by passing the id and
> token
> > to every page, which should in turn win you the admiration of your peers
> and
> > a huge raise because those processor and memory upgrade dollars could be
> > used elsewhere. :)
> >
> >
> > -----Original Message-----
> > From: Eric Dawson [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, April 13, 2000 11:38 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Am I Missing Something?
> >
> >
> > as far as I know the only way to pass a session from page to page is
> either
> > through a cookie or a url variable. If cookies are turned off you need
to
> > manually code the CFID and CFTOKEN variables to the URL to ensure you
pass
> > them from page to page.
> >
> > Please correct me if I am wrong.
> >
> > Eric
> >
> > From: Kelly Matthews <[EMAIL PROTECTED]>
> > Reply-To: [EMAIL PROTECTED]
> > To: "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> > Subject: Am I Missing Something?
> > Date: Thu, 13 Apr 2000 21:26:31 -0400
> >
> > Ok I am somewhat new to CF but something doesn't seem to be right.
> > I have a section of our site that is secure, for members only. I
> > have written the app to write a cookie so they don't have to login in
the
> > future. That part works fine.
> >
> > Now I just wanted to see what happened if someone had cookies turned
off,
> > and of course even you can log in but the minute you try to go to a 2nd
> page
> > it loops back to the log in.
> >
> > Now before I implemented the cookies I did have session management on
set
> to
> > about 30 minutes, which is still on, so people wouldnt have to relog in,
> > that worked fine. But with cookies off session management stops working
> too.
> > Does session management work only with cookies?
> >
> > I tried something else, turned client management on, and used a database
> for
> > clientstorage, instead of the registry or cookies, just to test it out,
> but
> > that didn't keep them logged in either. I must be missing something but
> isnt
> > there a way to open and maintain a session without cookies? I changed
> > setclientcookies to "no" but as long as my browser cookies are off I
still
> > can't get in.
> >
> > Point is they get logged in and get to the first page after the login
page
> > but if they try to go anywhere else they get kicked back to the login
> page,
> > which from the app.cfm below leads me to beleive its
> > not setting Session.Loggedin, and the only difference is that I turned
my
> > browser cookies off. Guess I just want to find out if Session.Loggedin
> HAS
> > to be set in a cookie or somewhere can i define it to be set a different
> > way. The client variables were however writing to the datasource with no
> > problem.
> >
> > Any help would be appreciated.
> > Below is my Application.cfm
> > I have tried all 3 client storage methods.
> > and with setclientcookies on and off.
> >
> > <cfapplication name="Members"
> > CLIENTSTORAGE="Clients"
> > clientmanagement="Yes"
> > sessionmanagement="Yes"
> > setclientcookies="NO"
> > sessiontimeout="#CreateTimeSpan(0,0,30,0)#">
> >
> > <CFIF NOT IsDefined("Session.LoggedIn")>
> > <CFLOCATION URL="login/login.cfm">
> > <CFELSEIF Session.loggedin IS "0">
> > <CFLOCATION URL="login/login.cfm">
> > </cfif>
> >
> >
>
> --------------------------------------------------------------------------
> --
> > --
> > Archives: http://www.eGroups.com/list/cf-talk
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
> > the body.
> >
> > ______________________________________________________
> > Get Your Private, Free Email at http://www.hotmail.com
> >
>
> --------------------------------------------------------------------------
> --
> > --
> > Archives: http://www.eGroups.com/list/cf-talk
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
> > the body.
> >
> >
>
> --------------------------------------------------------------------------
> ----
> > Archives: http://www.eGroups.com/list/cf-talk
> > To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
> --------------------------------------------------------------------------
----
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
