-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Parts of this message quoted from my response to the CFID-CFTOKEN
Confusion thread
It's probably not client corruption you're looking at. It's probably
more than one user sharing the CFTOKEN and CFID values.
It's possible that two (or more) browsers could share the same
CFID:CFTOKEN. It *shouldn't* happen, but flaws in the way CF handles
these tokens allows it to happen under certain circumstances.
CFID:CFTOKEN can be passed in the QueryString, in forms, or via
cookies. It's fairly easy for someone to accidently cutpaste a URL
to someone else which includes their CFID:CFTOKEN in the URL. Now
when the second user goes to the page w/ the CFID:CFTOKEN of the
other user, CF will send back a cookie to the second user which
permanently places the first user's CFID:CFTOKEN into the second
user's cookie store. Now you've got two users using the same
CFID:CFTOKEN and essentially sharing one CF Session.
When would CFID:CFTOKEN be in the URL to be copied pasted? If you
use CFLOCATION anywhere in your site and you didn't put the
addtoken="No" parameter in the tag, then every CFLOCATION call will
append the CFID:CFTOKEN to the URL.
We had that exact problem when one of our admins accidently pasted a
URL into our What's New database. Now every member who clicked on
the link from the What's New page assumed the session of the admin.
And since there were so many people accessing the site under the same
session, the session never timed out. We had people accessing our
entire site for free with Admin rights. It was a MESS
We were fortunate in this case in that only one CFID:CFTOKEN had been
shared, and we knew what they were. So... To clean things out we
added a few lines to our application.cfm that checked for that
CFID:CFTOKEN. If it found them, it deleted the user's CFID CFTOKEN
cookies and redirected them to the home page w/ no CFID or CFTOKEN in
the URL. At that point, the CF server would assign a new
CFID:CFTOKEN to the user. We also stopped the CF server and
manually deleted everything out of our client store database just to
be sure.
It took us a *long* time to track that one down, and we still
occassionally have people coming back w/ old links to that
CFID:CFTOKEN. We went through our entire codebase and made sure that
every CFLOCATION now has addtoken="No". We also added code to our
news admin pages and any other place where a URL might be entered
that strips off any CFID or CFTOKEN from the URL.
Best regards,
Zac Bedell
Zachary S. Bedell,
Chief Technology Officer,
Adirondack Technologies, Inc.
Please include original message in any replies -- I get a
lot of email every day, and I have a REALLY bad memory...
So I don't always remember everything that was said.
Thanks!
-Original Message-
From: Xing Li [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 02, 2000 6:04 AM
To: CF-Talk
Subject: CF Client Data Corruption Under Load?
Just recently people have been logging in but then
inadvertantly with other
user's account. Basically, if you attempt to login as "joe" you
might instead be recognized as "david" once you have passed the
authentication.
All user verification are through client variables. I have
yet to reproduce
this on my own but the reports have been so frequent I can no
longer discount this as chance. Has any of you experienced a
similar problem?
Setup:
W2K Advanced Server with CF 4.5.1SP1 and SQL 2000 as the backend.
This is a pretty serious problem on my end and I would
appreciate any help.
Xing
--
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe:
http://www.houseoffusion.com/index.cfm?sidebar=lists or send
a message with 'unsubscribe' in the body to
[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com
iQA/AwUBOgrHvKvhLS1aWPxeEQLLXgCgpfSbCUyONGvUSQUvLzp1TA7vYP8An3VM
W/C+XPsl8TYicBjYtZcfqIui
=y9sQ
-END PGP SIGNATURE-
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
