You need a way to detect if a browser has come into the site correctly, ideally the home page, so set a Session variable on the home page somewhere. At the top of your other pages test if this variable exists and if it doesn't do a CFLOCATION to the home page with ADDUURL="yes".
-----Original Message----- From: Webmaster [mailto:[EMAIL PROTECTED]] Sent: Friday, 31 January 2003 9:46 AM To: CF-Talk Subject: Re: Client Variables - Serious Problem Someone emailed the URL to someone else or a search engine has a link with the full url, cftoken included. We have a customer that will not allow cookies, for good reasons. So we have to use the URL to pass the CFID. We use client vars to track the session because session vars don't work behind a load balancer without cookies. (Specially if the uses IP address is different for each request (AOL, IBM etc)... So, you will run into a problem if someone emails the URL with the cftoken in it or a search engine gets it. Now anyone using that search engine and clicks on the link with the URLTOKEN in it will take on the personality associated with that token. What we did was added code to the application.cfm to check for the referrer. If the referrer is blank, which it will be if coming from an email, or if the referrer is not my host name, we clear the client.cfltoken vars. This gives them a new cftoken. This seems to work, however, some browsers do not pass the referrer. So, we are still looking for an optimal solution. If only we could use cookies, this would solve the problem. By the way. Amazon.com also has this problem because they work without cookies also, so we are not alone. 1: Go to Amazon.com 2: Put something in your cart. 3: Now send that URL to someone, or put it into another machine you have locally. 4: Now delete the cart. 5: go back to your first machine, and your cart is gone. So if you email the URL to show someone the cart, they can delete it. If that URL gets into a search engine, it can cause grief for a few days. This should not happen often so Amazon is not going to try to fix the problem. This is why Amazon forces you to enter your email and password every time on check out, even if you have cookies enabled... ----- Original Message ----- From: "Paul Giesenhagen" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, January 30, 2003 4:41 PM Subject: Re: Client Variables - Serious Problem > Currently I pass every link like this: > > <a href="whatever.cfm?mode=whatever&#urlToken#">Link</a> > > I will try your suggestion. > > NOTE: I just recieved an email from a user who said someone knew all > their personal information ... sooo this is looking like a huge > problem. > > Thank you > Paul Giesenhagen > QuillDesign > > ----- Original Message ----- > From: "Owens, Howard" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Thursday, January 30, 2003 3:31 PM > Subject: RE: Client Variables - Serious Problem > > > > Paul: > > > > Are you on a cluster of servers? > > > > Also, how are you tracking CFID, CFTOKEN. > > > > I've found for the most stable success, I need to appened > #client.URLTOKEN# > > to every URL, including those passed in FORMS, and I also got better > results > > by dropping this on my Application.cfm page (at the suggestion of a > > list > > member): > > > > <cfapplication name="myapp" > > clientmanagement="yes" > > setclientcookies="yes" clientstorage="dbClientVars" > > SETDOMAINCOOKIES="true"> > > > > followed by > > > > <cfcookie name="CFID" value="#CFID#" expires="NEVER" secure="Yes"> > > <cfcookie name="CFTOKEN" value="#CFTOKEN#" expires="NEVER" > > secure="Yes"> > > > > Hope this helps. > > > > H. > > > > > > > -----Original Message----- > > > From: Paul Giesenhagen [SMTP:[EMAIL PROTECTED]] > > > Sent: Thursday, January 30, 2003 1:08 PM > > > To: CF-Talk > > > Subject: Client Variables - Serious Problem > > > > > > Question: > > > > > > I am using client variables to login users and keep their > > > information while roaming the site. The problem is I just went > > > into the site and it > > > had me logged as another user of the site... Below is the code I > > > am > using > > > to login in a user.... I haven't used the client variables alot > > > so if > you > > > see something I am doing wrong, please enlighten. > > > > > > <!--- Login the user ---> > > > <cfset member = StructNew()> > > > <cfset member.firstName = memberCheck.firstName> > > > <cfset member.lastName = memberCheck.lastName> > > > <cfset member.memberID = memberCheck.memberID> > > > <cfset member.userName = memberCheck.userName> > > > <cfwddx action="cfml2wddx" input="#member#" > > > output="client.member"> > > > > > > > > > > > > <!--- Top of email MEMBER page to see if they are member or not > > > ---> > > > > > > <cfif IsDefined("client.member")> > > > <cfwddx action="wddx2cfml" input="#client.member#" output="member"> > > > <CFSET IsDeleteSuccessful = DeleteClientVariable("location")> > > > <cfelse> > > > <cflocation url="member.cfm?mode=login" addtoken="Yes"> > > > </cfif> > > > > > > When I opened my browser and went to the site, It thought i was a > > > different user ... how could something like this have happened?? > > > > > > Any help or if you all need more information, please let me konw. > > > > > > (Win2K, CF5 - Single Machine) > > > > > > Thank you > > > Paul Giesenhagen > > > QuillDesign > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4