RE: Protect action pages
Hey Dave, I'm sure you know one heck of alot more that me... no dought! But in cf is it not possible to write a subscript into the appication file to check where a link is coming from and redirect it if it is not from the same domain? Or, would the HTTP_REFERER override is anyway? I'm most likely wrong, and I agree with the fact that unless you are writing a major porn site that is just asking to be hacked, it is not worth the time or trouble Rino From: Dave Watts [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: RE: Protect action pages Date: Fri, 27 Feb 2004 16:40:47 -0500 Not so much, because I can view the source of your original form, find all the hidden fields and their values and add them to my spoofed form. This is very difficult to do. Yes, and in most cases it's probably not worth your trouble to try to prevent it. Would sessions help?Not allow access to the action page if a session is not defined?Much beyond that I'm not sure what is practical. Yes, sessions could help, although you could get the same effect from any custom token you generated, as long as you create the token prior to getting to the action page. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Killing clients in one clean sweep!
See the easycfm.com tutorial section. They have a tutorial on ending sessions in just a few lines of code. I believe they loop through the code... Rino From: Stuart Kidd [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: RE: Killing clients in one clean sweep! Date: Sat, 24 Jan 2004 00:27:26 - No Jochem, they're just client.variables stored somewhere else. actually, where are they stored, I suppose on the coldfusion server. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: 24 January 2004 00:25 To: CF-Talk Subject: Re: Killing clients in one clean sweep! Stuart Kidd wrote: I'm trying to kill all the client variables in one clean sweep but can't seem to get it right.I kind of worked out how to do one as: cfset temp = DeleteClientVariable(user) But how do I just go through all current client variables and delete them all? Where do you store them? If in a database, just run 2 queries directly against the storage tables. Jochem -- I don't get it immigrants don't work and steal our jobs - Loesje _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Hey Mosh more Help with CFHTTP
Hey Mosh; New question, different person. :) I'm looking to set up say 10 different e-stores. All Stores will look different, but be run from the same cf e-commerce package. The e-commerce package will be generic enough to use on every application with little altering. All stores will be run their own application, and have their own database. All stores will be in same server space, but have their own virtual ip addy. Yes, kind of like the yahoo stores are done. I also want to write a 11th site. This site will be a admin site. I do not want to have to login to all 10 stores everyday to do admin stuff. So the admin site will be set up to view my hits form all the other sites as well a collect all if any orders form all the sites for order processing... I think you get the idea. My questions are as follows: 1) Is it better to write directly to the admin site, or query form the admin site for the information? 2) In either case, is CFHTTP the right tag for the Job? 3) Any thoughts on any better way to do this? Thanks; Rino [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Can CF do this?
Again for security reasons, and maybe I don't need to do this... Can cold fusion capture a users ip adress and store it in a database on a given even like user login? If so, what code would I use? I'm sure I could find the answer myself, but a little help would be a big time saver! Thanks; Rino [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: session management help please
I see what you mean... Thanks for the insite Jim Thanks; Rino From: Jim McAtee [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: Re: session management help please Date: Mon, 19 Jan 2004 01:52:18 -0700 - Original Message - From: NANCY SKAGER [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Sunday, January 18, 2004 8:15 PM Subject: RE: session management help please Finally it comes to this As an old time chatter myself, I know from experiance, that when you log into a chatroom you can be there anywhere from 5 minutes to a couple of hours. This is the only thing messing with my session management. As I states earlier, I would like to add a who's online link to this site. It would upset me if I logged in a site and it said a friend of mine was online and come to find out they left an hour ago but it still says they ar logged in. Is this your biggest concern - doing an accurate Who's On list? I'm not certain you can use CF to get any kind of an active-session list for a given application, so you'll need to maintain the list yourself anyway. How you manage that list needn't be related to your login-session managment. You'll need to maintain this list in a persistent data store such as CF's application scope, or in a database.You keep the list current by adding new users to the list when they enter the room, then you keep updating their last visited date/time whenever they retrieve a page.Drop users from the list by setting some timeout value of 'X' minutes and deleting those that have expired.This timeout value needn't be related in any way to the timeout of the user's login session.You could, for instance, have a session timeout of one hour, but could use a Who's On timeout of 10 minutes. Keep in mind, though, that with a very short who's on timeout, you might see what looks like odd user behavior.Most likely it will look like you have users who come in and leave and keep coming back again and again during what is actually a single visit. So I would need to set my timeout session to about 15 or 20 minutes, as there would be no reason to spend anymore time than that on any given page other than the chatroom page. Again the chatroom page is the only one that is messing with my session management. And yes, I want my chat page on the secured section of my site. Why you ask? Easy, you ever been to a chatroom where no matter what you do somebody has got to be a jerk? I want to be able to suspend account login if needed. DUH! I just had a thought, tell me if this would work. It sounds so simple that it wont work. What if on the chatroom window only I add a extra, very small frame, nothing in it but a little code. I refresh that frame, and that frame only, say every 2 minutes. In that case it should keep the session active, yet should not offer a big bog down in the chat applet. If someone surfs out of the chatroom page, it could load a new page either with out that frame or swap that frame to a page not coded for refresh. In this way useing cookies I could end the session if the browser closes, or by setting my time out the session would end shortly after the user leaves my domain. Will this work? I think it will, tell me what you think. Doing this would most likely have exactly the opposite desired effect. Someone goes to your chatroom page, and this bit of code keeps refreshing the page and keeping the user's session alive indefinitely.With absolutely no interaction on their part.They cold have left the computer and gone on vacation for all you know, but they'll appear to remain logged in.Same thing if they (like I do) have 20 browser windows open, forget about the chat window, and go off and visit another site in a different browser window, or start doing something else on the computer for a few hours. One last quick question for the more expericenced. As you can tell this site will be a online community. It will also offer a e-store. Is it better to write two seperate applications (one for the store and the other to run the site) or, run them under one application? If you have very short session timeouts (15 or 20 minutes qualifies), then it's going to be an inconvenience for shoppers unless you keep their shopping carts intact between sessions.Someone puts a dozen items in a shopping cart, gets a phone call, their session times out, and now they have to start shopping again - or not.An inconvenience for them, but ultimately the seller's loss. With reasonable timeouts, a single application is probably best.Probably easier for you to keep track of when coding and easier for your users. It's annoying to be forced to login repeately on different areas of the same web site. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re:CF Live Chat application
hey Eric; I would love a peek at the code myself if you dont mindPlease Thanks; Rino From: Eric Creese [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: Re:CF Live Chat application Date: Mon, 19 Jan 2004 17:25:23 -0400 I am using an open source CF chat app that does not require a database whatsoever. I modified it for my purposes to get the names of users from the database for the site I am running so they could log in easier. Really simple to use though. I found it on a developer site. can not remember which one but I could send you my code either way. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Can CF do this?
yep bummer... thanks Matt. I did not realize this was happening, and of course it would have to be another aol issue.. Sorry to those that don't, but god I hate that company! Rino From: Matt Robertson [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: Re: Can CF do this? Date: Mon, 19 Jan 2004 17:41:13 -0800 To add to the reasons given why this isn't particularly reliable, many ISPs now use rotating IPs during the same connection.AOL is the most often cited offender, with oftentimes each page request in a single session coming from a different IP, but they by no means are the only ones doing it. Then there's the dynamic IP I have on my home DSL connection, which are the rule if you are on SBC (although you can buy a static one).That IP gets assigned every time I disconnect/reconnect. Bummer, huh? -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CF Live Chat application
yes easycfm.com (my favorite tutorial site) does have a tutorial called shout box live. I was just hoping that this one might be a lil more to do Such as pvt chat windows and friend lists and the like... Rino From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: RE: CF Live Chat application Date: Mon, 19 Jan 2004 18:50:50 -0700 (MST) if im not mistaken the tutorial is on easycfm.com Same here, sounds like a wonderful tool! Hatton -Original Message- From: NANCY SKAGER [mailto:[EMAIL PROTECTED] Sent: Monday, January 19, 2004 8:24 PM To: CF-Talk Subject: Re:CF Live Chat application hey Eric; I would love a peek at the code myself if you dont mindPlease Thanks; Rino From: Eric Creese [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: Re:CF Live Chat application Date: Mon, 19 Jan 2004 17:25:23 -0400 I am using an open source CF chat app that does not require a database whatsoever. I modified it for my purposes to get the names of users from the database for the site I am running so they could log in easier. Really simple to use though. I found it on a developer site. can not remember which one but I could send you my code either way. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: session management help please
Finally it comes to this As an old time chatter myself, I know from experiance, that when you log into a chatroom you can be there anywhere from 5 minutes to a couple of hours. This is the only thing messing with my session management. As I states earlier, I would like to add a who's online link to this site. It would upset me if I logged in a site and it said a friend of mine was online and come to find out they left an hour ago but it still says they ar logged in. So I would need to set my timeout session to about 15 or 20 minutes, as there would be no reason to spend anymore time than that on any given page other than the chatroom page. Again the chatroom page is the only one that is messing with my session management. And yes, I want my chat page on the secured section of my site. Why you ask? Easy, you ever been to a chatroom where no matter what you do somebody has got to be a jerk? I want to be able to suspend account login if needed. DUH! I just had a thought, tell me if this would work. It sounds so simple that it wont work. What if on the chatroom window only I add a extra, very small frame, nothing in it but a little code. I refresh that frame, and that frame only, say every 2 minutes. In that case it should keep the session active, yet should not offer a big bog down in the chat applet. If someone surfs out of the chatroom page, it could load a new page either with out that frame or swap that frame to a page not coded for refresh. In this way useing cookies I could end the session if the browser closes, or by setting my time out the session would end shortly after the user leaves my domain. Will this work? I think it will, tell me what you think. One last quick question for the more expericenced. As you can tell this site will be a online community. It will also offer a e-store. Is it better to write two seperate applications (one for the store and the other to run the site) or, run them under one application? Thanks again; Rino From: Dave Watts [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: RE: session management help please Date: Sun, 18 Jan 2004 20:46:04 -0500 You can check the HTTP_REFERER to see if they came from your domain or somewhere else So if they come in from anywhere outside of your domain, you can make them log in. It's worth pointing out that as HTTP_REFERER is provided by the browser, it cannot be relied upon to be correct or even present. I think that it would only be sent by most browsers if the user clicks on a link from a referring page. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: session management help please
Thanks for your input Dave. This is my first time at writing a community, so the chat page lost me. I was trying s hard to think about how to end session management in the case of surfing somewhere else I missed what we call in my graphic design background the Elegant Simplicity. As I said it never was an issue of the user surfing somewhere else, it was the thought of spending too much time in the chatroom. And no, like any online store, you wnat to move the product... There is no reason to share info from the store to the rest of the site, unless i would like to query the users personal info for shopping cart reasons, but that could be done on a seperate application, yet sending that query to the same database... not as easy as it sounds but you get what I mean... Thanks again Dave, and the rest of you too that commented. I did come up with the solution all on my own, but it was presenting the question to those that would listen that helped Thanks; Rino From: Dave Watts [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: RE: session management help please Date: Sun, 18 Jan 2004 22:43:17 -0500 As an old time chatter myself, I know from experiance, that when you log into a chatroom you can be there anywhere from 5 minutes to a couple of hours. This is the only thing messing with my session management. As I states earlier, I would like to add a who's online link to this site. It would upset me if I logged in a site and it said a friend of mine was online and come to find out they left an hour ago but it still says they ar logged in. So I would need to set my timeout session to about 15 or 20 minutes, as there would be no reason to spend anymore time than that on any given page other than the chatroom page. I'm not an expert on chat applications, but most chat software I've seen has the ability to list who's in the chat room at any given moment - chat applications typically maintain a connection to a chat server, and aren't limited by how HTTP works. Depending on the API of your chat software, you may be able to query it from CF to see who's in what room. DUH! I just had a thought, tell me if this would work. It sounds so simple that it wont work. What if on the chatroom window only I add a extra, very small frame, nothing in it but a little code. I refresh that frame, and that frame only, say every 2 minutes. In that case it should keep the session active, yet should not offer a big bog down in the chat applet. If someone surfs out of the chatroom page, it could load a new page either with out that frame or swap that frame to a page not coded for refresh. In this way useing cookies I could end the session if the browser closes, or by setting my time out the session would end shortly after the user leaves my domain. Will this work? I think it will, tell me what you think. This will allow you to maintain the user's session while that user is within your chat page. This is a pretty common approach to this problem, I think. However, it will not end the session when the user goes to a page outside of your application, as you originally asked. One last quick question for the more expericenced. As you can tell this site will be a online community. It will also offer a e-store. Is it better to write two seperate applications (one for the store and the other to run the site) or, run them under one application? If you want to share session data between your store and the rest of the site, it's probably easier to have them within a single application. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: session management help please
As there is no responce to my original question, am i to determine that this either can not be done, or it is just that nobody on this list knows the answer? Rino From: Seth Skager [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: session management help please Date: Tue, 13 Jan 2004 20:30:34 -0800 (PST) I'm writing my first application. I will be useing a secure section on my site you need to login to. I can set up a logout linkto end a session. I can end a session if the user closes the browser. my question is, is there a way to kill or end the session if the user navigates outside of my domain? For example, a user is logged in on my site and clicks his home button. Is there a way to end the session at that point? thanx; Rinopod __ Do you Yahoo!? Yahoo! Hotjobs: Enter the Signing Bonus Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: session management help please
Thank you so much... I thought that this was going to be the only way to pull this off. I guess at any rate I can add this to the macormedia wish list for the next version of coldfusion. Macormedia really needs to add a new and better tags for session management. ROFLMAO... If I was a better programmer at c or java, I'ld write my own custom tag to handle this and make lots of $$$! But for now I see that clodfusion can not do this so I need to crack open my dust covered JS books! Thanks for all your help; Rino From: ColdFusion [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: Re: session management help please Date: Sat, 17 Jan 2004 13:35:19 -0500 If the user is using the same browser window, use the OnUnload function of JS to check if the location is not within your domain. If so, close the session. - Original Message - From: NANCY SKAGER To: CF-Talk Sent: Saturday, January 17, 2004 1:14 PM Subject: RE: session management help please As there is no responce to my original question, am i to determine that this either can not be done, or it is just that nobody on this list knows the answer? Rino From: Seth Skager [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: session management help please Date: Tue, 13 Jan 2004 20:30:34 -0800 (PST) I'm writing my first application. I will be useing a secure section on my site you need to login to. I can set up a logout linkto end a session. I can end a session if the user closes the browser. my question is, is there a way to kill or end the session if the user navigates outside of my domain? For example, a user is logged in on my site and clicks his home button. Is there a way to end the session at that point? thanx; Rinopod __ Do you Yahoo!? Yahoo! Hotjobs: Enter the Signing Bonus Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: session management help please
the reason I would like to end sessions in thos way is the fact that a certain page on the site will have a chatroom on it. A user can spend a unknown amount of time there, then either surf to other sections of the site, of surf somewhere else. if the person does leave the site and then returns, I want them to have to sign in again. This is of course for reasons of security. I also will be adding a include file that that tells the number of active sessions out of the number of registered users. It will also include a link to see who is online. As you can see it will be wise to be albe to end a session if a user surfs away form the site. Any thoughts on this? thanks; Rino From: Bob Haroche [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: Re: session management help please Date: Sat, 17 Jan 2004 12:33:46 -0800 I'm wondering why Nancy wants to end session variables in the way she describes. Perhaps there are other ways of achieving her goal. For example, perhaps a clunky one, she could set very short lived session variables and refresh them on each page request for another very short period of time. When the visitor leaves her site, the session will end shortly thereafter. - Regards, Bob Haroche O n P o i n tS o l u t i o n s www.OnPointSolutions.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
