isn't that why you set a session timeout? hmmm but it wouldn't stop you from
passing the open session to another pc. can you tie cfid and cftoken to the
IP address or something like that?
My network proxy server (MS proxy) doesn't cache ASP pages but it caches CFM
pages? Does anyone know how to configure this?
also I have been thinking (not original thinking).
But I would like to be able to create an encrypted ticket that contains cfid
and cftoken as well as other information to be securely passed in the url.
Does any one do this now?
Eric
From: "Allen" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: Re: Am I Missing Something?
Date: Sat, 15 Apr 2000 11:39:13 -0500
Aren't there some security issues involved in passing the CFID & CFTOKEN in
the URL? It's been awhile now, but I recall one of my co-workers playing
with bookmarking pages, etc. and being able to get in without using the
username / password. My memory is a bit fuzzy on this one, though.
-Allen
----- Original Message -----
From: Byron M <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 13, 2000 11:55 PM
Subject: RE: Am I Missing Something?
> Basically that is correct, you could do it with vars stored in a db, but
you
> would still have to add some sort of id to the URL.
>
> We started to put #session.URLToken# to the end of all URL's this
variable
> adds cfid=9394&cftoken=85904830 to the URL.
>
> I just thought of this. If you have session variables that are
initialized
> with each session in say an Application.cfm file and users have cookies
> turned off then you are initializing session vars for every page hit for
> that user, and the old ones have to wait to timeout. So in actuality you
> will be saving all so precious server resources by passing the id and
token
> to every page, which should in turn win you the admiration of your peers
and
> a huge raise because those processor and memory upgrade dollars could be
> used elsewhere. :)
>
>
> -----Original Message-----
> From: Eric Dawson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 13, 2000 11:38 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Am I Missing Something?
>
>
> as far as I know the only way to pass a session from page to page is
either
> through a cookie or a url variable. If cookies are turned off you need to
> manually code the CFID and CFTOKEN variables to the URL to ensure you
pass
> them from page to page.
>
> Please correct me if I am wrong.
>
> Eric
>
> From: Kelly Matthews <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> Subject: Am I Missing Something?
> Date: Thu, 13 Apr 2000 21:26:31 -0400
>
> Ok I am somewhat new to CF but something doesn't seem to be right.
> I have a section of our site that is secure, for members only. I
> have written the app to write a cookie so they don't have to login in the
> future. That part works fine.
>
> Now I just wanted to see what happened if someone had cookies turned off,
> and of course even you can log in but the minute you try to go to a 2nd
page
> it loops back to the log in.
>
> Now before I implemented the cookies I did have session management on set
to
> about 30 minutes, which is still on, so people wouldnt have to relog in,
> that worked fine. But with cookies off session management stops working
too.
> Does session management work only with cookies?
>
> I tried something else, turned client management on, and used a database
for
> clientstorage, instead of the registry or cookies, just to test it out,
but
> that didn't keep them logged in either. I must be missing something but
isnt
> there a way to open and maintain a session without cookies? I changed
> setclientcookies to "no" but as long as my browser cookies are off I
still
> can't get in.
>
> Point is they get logged in and get to the first page after the login
page
> but if they try to go anywhere else they get kicked back to the login
page,
> which from the app.cfm below leads me to beleive its
> not setting Session.Loggedin, and the only difference is that I turned my
> browser cookies off. Guess I just want to find out if Session.Loggedin
HAS
> to be set in a cookie or somewhere can i define it to be set a different
> way. The client variables were however writing to the datasource with no
> problem.
>
> Any help would be appreciated.
> Below is my Application.cfm
> I have tried all 3 client storage methods.
> and with setclientcookies on and off.
>
> <cfapplication name="Members"
> CLIENTSTORAGE="Clients"
> clientmanagement="Yes"
> sessionmanagement="Yes"
> setclientcookies="NO"
> sessiontimeout="#CreateTimeSpan(0,0,30,0)#">
>
> <CFIF NOT IsDefined("Session.LoggedIn")>
> <CFLOCATION URL="login/login.cfm">
> <CFELSEIF Session.loggedin IS "0">
> <CFLOCATION URL="login/login.cfm">
> </cfif>
>
>
>
--------------------------------------------------------------------------
--
> --
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
>
--------------------------------------------------------------------------
--
> --
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
>
>
--------------------------------------------------------------------------
----
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
