> 1) I have an application with lots of different user profiles. > If I log in as one user, and a colleague logs in as another > user and changes his CFID and CFTOKEN to be the same as mine > (for testing purposes), he is instantly given full access to > my session. Is there any way I can stop this from happening > (for example log them out if their CFID or TOKEN changes)?
The short answer is no. CF uses CFID and CFTOKEN to track a user - if you change them, CF will think you're a different user. You might set an additional cookie, and make sure that the cookie value corresponds with what you expect, but if you're passing CFID and CFTOKEN on the URL to avoid using cookies, that won't help much. Likewise, you might track the user's IP address in the session, and test to ensure that the user is at the same address as with previous requests, but in some cases a user's IP address does legitimately change over the lifetime of a session - AOL users, for example, may have many different addresses during a single session. > 2) Does anyone know any JavaScript that will stop a user from > clicking the Close button on their browser, and bring up an > alert telling them they must log out? No, there's nothing to stop a user from closing whatever applications they like, although you might make it as difficult as you can with onUnload events and the like. For good examples of this kind of stuff, just browse a few porn sites - those guys know their JavaScript! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists