well, if I understand it correctly this was a situation where an external user saw a page which should have only ever been accessible to an internal user, so -- I'm thinking the only previous session variable to kill would have ( or should have ) been related to the external user setup anyway, so not killing it wouldn't give that external user access to the internal display ... or am I missing something?
> And, not killing the previous session variable correctly. > On Wed, 6 Nov 2002, S. Isaac Dealey wrote: >> incomplete / improper or generally poor locking of >> session variables would >> be my first guess... >> >> > sessions? >> >> > -----Original Message----- >> > From: Mark A. Kruger - CFG >> > [mailto:mkruger@;cfwebtools.com] >> > Sent: 06 November 2002 14:40 >> > To: CF-Talk >> > Subject: Strange occurrence >> >> >> > One of the guys in my user group works for a firm that >> > is >> > very concerned >> > with security. They recently ran across this >> > situation. >> > I've offered a >> > couple of possible explanations, but I'm interested in >> > any >> > other possible >> > explanation: >> >> >> > -----------------he wrote------------------- >> > I had an occurrence today that was very strange. I have >> > a >> > CF 4.5.1 Server >> > running on NT 4.0 using IIS 4.0 with the latest service >> > packs installed. My >> > site looks at an incoming request and if they don't >> > already have session >> > variables set (cached via cookies for 48 hours) they >> > are >> > given a password >> > screen to log in with. >> >> > Around 13:00 Central time today a remote user was >> > attempting to log into the >> > site. His profile in our database did not have him >> > authorized to log in and >> > he was denied access as expected. While speaking with >> > our >> > Service Desk who >> > was attempting to log in as him locally his remote >> > display >> > brought up a page >> > that would only have been displayed to the local >> > Service >> > Desk technician. >> > To the best of my knowledge, there was no password >> > information passed to the >> > remote user (he still wasn't authorized at that point >> > in >> > our profile >> > database.) >> >> > How could he possibly received a page from our server >> > that >> > belonged to our >> > internal technician? The remote user and the local tech >> > are both situated >> > behind two different firewalls from the server. >> > I am at a total loss, and am hoping that someone may be >> > able to shed some >> > light. >> > ------------------------------------------- >> >> >> > I'm thinking he's not getting the full story from the >> > help >> > desk <g> >> >> >> > Mark A. Kruger, MCSE, CFG >> > www.cfwebtools.com >> > www.necfug.com >> > mxc.blogspot.com >> > .no more brochures! >> >> >> >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > ~~~ >> > ~~~~~~~~~~~| >> > Archives: >> > http://www.houseoffusion.com/cf_lists/index.cfm?forumid >> > =4 >> > Subscription: >> > http://www.houseoffusion.com/cf_lists/index. >> > cfm?method=subscribe&forumid=4 >> > FAQ: http://www.thenetprofits.co.uk/coldfusion/faq >> > Signup for the Fusion Authority news alert and keep up >> > with the latest news in ColdFusion and related topics. >> > http://www.fusionauthority.com/signup.cfm >> >> >> Isaac >> Certified Advanced ColdFusion 5 Developer >> >> www.turnkey.to >> 954-776-0046 >> >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~~~~~~~~~~~| > Archives: > http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 > Subscription: http://www.houseoffusion.com/cf_lists/index. > cfm?method=subscribe&forumid=4 > FAQ: http://www.thenetprofits.co.uk/coldfusion/faq > Get the mailserver that powers this list at > http://www.coolfusion.com Isaac Certified Advanced ColdFusion 5 Developer www.turnkey.to 954-776-0046 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
