Hi Martin, Thanks for letting me know all this, omg indeed!
Trouble is, I was really hoping to use the cfid:cftoken as a way to spot a user trying to create a second user record from the same pc. Some sneaky individuals like to create fake profiles and that's not nice. So could I write a variable to the cookie with the users sql table id and use that to spot someone trying to create a fake profile? Or is there some other work around I can use? Jenny ----- Original Message ----- From: "Martin Parry" <[EMAIL PROTECTED]> To: "CF-Talk" <cf-talk@houseoffusion.com> Sent: Sunday, October 09, 2005 10:06 AM Subject: RE: CFID > Absolutely - A very similair thing also happened on an Intranet project > I was working on. We couldn't figure out why users sessions were > expiring so quikly - sometime not at all and sometime every few minutes. > > The user would then log back in which would then cause another user to > be logged out (or so it would appear) - What we found by displaying the > current user id in the page was that they were then miraculously > becoming the other user. > > How did this happen ? The person who sent out the link to all the users > sent something like http://theintranet/index.cfm?cfid=9999&cftoken=9999 > > So, everyone became each other. OMG ! With a bit of fiddling around, we > held an IP address as a client variable, then if the user looking at the > page didn't match the IP address we would clear their cookies and > redirect them back to the homepage with a BRAND NEW CFID mixture. Thus > overwriting the cookie in the browser. However, they also had to remove > and recreate the favourites link to the intranet as the next time they > visited the same would have happened. > > Now, there's a handy function URLSessionFormat which intelligently > maintains state for user with cookies disabled. However, as spiders > don't allow cookies the function will ultimately give the spider a url > with cfid or a j2ee format string e.g. > http://mywebsite.com/index.cfm;jsessionid=1230be920b90$B7h$298?page=/ind > ex.cfm . J2EE variables are a much better option. > > I don't know if anyone's poste this link for you but it works like a > charm, creating per session cookies which most users will allow as they > expire once the browser has closed > > http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17915 > > Good luck > > Martin > > > -----Original Message----- > From: Webmaster at FastTrack On Line > [mailto:[EMAIL PROTECTED] > Sent: 09 October 2005 05:39 > To: CF-Talk > Subject: Re: CFID > > Hi Martin, > > Thanks for your input. > > Oh my, wouldn't this be bit of a security issue? > > Jenny > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220499 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
