-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <Parts of this message quoted from my response to the CFID-CFTOKEN Confusion thread> It's probably not client corruption you're looking at. It's probably more than one user sharing the CFTOKEN and CFID values. It's possible that two (or more) browsers could share the same CFID:CFTOKEN. It *shouldn't* happen, but flaws in the way CF handles these tokens allows it to happen under certain circumstances. CFID:CFTOKEN can be passed in the QueryString, in forms, or via cookies. It's fairly easy for someone to accidently cut&paste a URL to someone else which includes their CFID:CFTOKEN in the URL. Now when the second user goes to the page w/ the CFID:CFTOKEN of the other user, CF will send back a cookie to the second user which permanently places the first user's CFID:CFTOKEN into the second user's cookie store. Now you've got two users using the same CFID:CFTOKEN and essentially sharing one CF Session. When would CFID:CFTOKEN be in the URL to be copied & pasted? If you use CFLOCATION anywhere in your site and you didn't put the addtoken="No" parameter in the tag, then every CFLOCATION call will append the CFID:CFTOKEN to the URL. We had that exact problem when one of our admins accidently pasted a URL into our What's New database. Now every member who clicked on the link from the What's New page assumed the session of the admin. And since there were so many people accessing the site under the same session, the session never timed out. We had people accessing our entire site for free with Admin rights. It was a MESS.... We were fortunate in this case in that only one CFID:CFTOKEN had been shared, and we knew what they were. So... To clean things out we added a few lines to our application.cfm that checked for that CFID:CFTOKEN. If it found them, it deleted the user's CFID & CFTOKEN cookies and redirected them to the home page w/ no CFID or CFTOKEN in the URL. At that point, the CF server would assign a new CFID:CFTOKEN to the user. We also stopped the CF server and manually deleted everything out of our client store database just to be sure. It took us a *long* time to track that one down, and we still occassionally have people coming back w/ old links to that CFID:CFTOKEN. We went through our entire codebase and made sure that every CFLOCATION now has addtoken="No". We also added code to our news admin pages and any other place where a URL might be entered that strips off any CFID or CFTOKEN from the URL. Best regards, Zac Bedell ======================================== Zachary S. Bedell, Chief Technology Officer, Adirondack Technologies, Inc. Please include original message in any replies -- I get a lot of email every day, and I have a REALLY bad memory... So I don't always remember everything that was said. Thanks! > -----Original Message----- > From: Xing Li [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 02, 2000 6:04 AM > To: CF-Talk > Subject: CF Client Data Corruption Under Load? > > > Just recently people have been logging in but then > inadvertantly with other > user's account. Basically, if you attempt to login as "joe" you > might instead be recognized as "david" once you have passed the > authentication. > All user verification are through client variables. I have > yet to reproduce > this on my own but the reports have been so frequent I can no > longer discount this as chance. Has any of you experienced a > similar problem? > > Setup: > > W2K Advanced Server with CF 4.5.1SP1 and SQL 2000 as the backend. > > This is a pretty serious problem on my end and I would > appreciate any help. > > Xing > > -------------------------------------------------------------- > ---------------------------------- > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ > Unsubscribe: > http://www.houseoffusion.com/index.cfm?sidebar=lists or send > a message with 'unsubscribe' in the body to > [EMAIL PROTECTED] > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOgrHvKvhLS1aWPxeEQLLXgCgpfSbCUyONGvUSQUvLzp1TA7vYP8An3VM W/C+XPsl8TYicBjYtZcfqIui =y9sQ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------------------------ Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]