Re: CFID-CFTOKEN Major Issues. HELP!!!!
I am having a huge problem right now, I have an application where I am using CFID/Cftoken as part of URL parameter. They are currently being maintained in the registry. As an aside, you really don't want to store client data in the registry. Use a database instead. What is the underlying cause of it? CFID and CFTOKEN are used to uniquely identify a client. If two clients use the same values, they will appear to be the same client from your application's perspective. If I change the session management parameters though the CF Administrator to use cookies, is there other major work (code re-write) I need to do, since the application has been developed using cfids/cftokens in the URL. There is no session management parameter in the CF Administrator to let you use cookies instead of URL parameters. Within the CF Administrator, you can specify whether session management is enabled, what the default and maximum timeouts are, and in CFMX, whether you use J2EE or CF session tokens. If you're talking about client management, there is an option to use cookies to store the actual client data. This is somewhat independent of whether you use cookies or URL parameters as client tokens. If your application is specifically looking for URL.CFID and URL.CFTOKEN, you would need to rewrite your code if those variables didn't exist. You could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. OR Can I set the addtoken=no in the cflocation and prevent the tokens from being append to URL.. If yes, are there any major repercussions. Will this work. If you didn't specifically disable cookies, they probably are being set, in which case you can (usually) disable setting them in the URL. Check to see if cookies are being set. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279064 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFID-CFTOKEN Major Issues. HELP!!!!
Is there a message (comments) in here I am missing?? -Original Message- From: Asad Khan [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2007 10:26 AM To: CF-Talk Subject: Re: CFID-CFTOKEN Major Issues. HELP I am having a huge problem right now, I have an application where I am using CFID/Cftoken as part of URL parameter. They are currently being maintained in the registry. As an aside, you really don't want to store client data in the registry. Use a database instead. What is the underlying cause of it? CFID and CFTOKEN are used to uniquely identify a client. If two clients use the same values, they will appear to be the same client from your application's perspective. If I change the session management parameters though the CF Administrator to use cookies, is there other major work (code re-write) I need to do, since the application has been developed using cfids/cftokens in the URL. There is no session management parameter in the CF Administrator to let you use cookies instead of URL parameters. Within the CF Administrator, you can specify whether session management is enabled, what the default and maximum timeouts are, and in CFMX, whether you use J2EE or CF session tokens. If you're talking about client management, there is an option to use cookies to store the actual client data. This is somewhat independent of whether you use cookies or URL parameters as client tokens. If your application is specifically looking for URL.CFID and URL.CFTOKEN, you would need to rewrite your code if those variables didn't exist. You could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. OR Can I set the addtoken=no in the cflocation and prevent the tokens from being append to URL.. If yes, are there any major repercussions. Will this work. If you didn't specifically disable cookies, they probably are being set, in which case you can (usually) disable setting them in the URL. Check to see if cookies are being set. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279065 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID-CFTOKEN Major Issues. HELP!!!!
Hi Dave: First of all thank you for your suggestions. I ahve couple of questions here. I have one app that is pointing to registry and one pointing to datasource. I know that data source is the correct way of handling. I notice the app where the admin is set to datasource, and when i look in the tables I see no values. Does that mean my app is not storing in DB (nto to sound like adumb question)... Your Answer: If your application is specifically looking for URL.CFID and URL.CFTOKEN, you would need to rewrite your code if those variables didn't exist. You could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. MY Question what will this do by setting url.cfid=client.cfid. If I do this and a client still emails the entire link with these id/token in the URL, will I still have the same issue... And what happens if a user tries to maliciously change the id or token value by one digit (i know there are so many permutations between the 2, but it can be happen. Will this approach you mentioned eliminate any of those security issues). Your Question == If you didn't specifically disable cookies, they probably are being set, in which case you can (usually) disable setting them in the URL. Check to see if cookies are being set. My Question: = Where do i need to check if cookies have been disabled.. If they were, can I just turn them on and then set the url.addtoken=no. Will this work to eliminate the tokens from the URL string.. Asad I am having a huge problem right now, I have an application where I am using CFID/Cftoken as part of URL parameter. They are currently being maintained in the registry. As an aside, you really don't want to store client data in the registry. Use a database instead. What is the underlying cause of it? CFID and CFTOKEN are used to uniquely identify a client. If two clients use the same values, they will appear to be the same client from your application's perspective. If I change the session management parameters though the CF Administrator to use cookies, is there other major work (code re-write) I need to do, since the application has been developed using cfids/cftokens in the URL. There is no session management parameter in the CF Administrator to let you use cookies instead of URL parameters. Within the CF Administrator, you can specify whether session management is enabled, what the default and maximum timeouts are, and in CFMX, whether you use J2EE or CF session tokens. If you're talking about client management, there is an option to use cookies to store the actual client data. This is somewhat independent of whether you use cookies or URL parameters as client tokens. If your application is specifically looking for URL.CFID and URL.CFTOKEN, you would need to rewrite your code if those variables didn't exist. You could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. OR Can I set the addtoken=no in the cflocation and prevent the tokens from being append to URL.. If yes, are there any major repercussions. Will this work. If you didn't specifically disable cookies, they probably are being set, in which case you can (usually) disable setting them in the URL. Check to see if cookies are being set. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279067 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFID-CFTOKEN Major Issues. HELP!!!!
On Thursday 24 May 2007, Asad Khan wrote: what will this do by setting url.cfid=client.cfid. If I do this and a url.cfid= *cookie*.cfid would be better. client still emails the entire link with these id/token in the URL, will I still have the same issue... No, the ones in the actual URL in the web browser will be over writeen. maliciously change the id or token value by one digit (i know there are so many permutations between the 2, but it can be happen. Will this approach you mentioned eliminate any of those security issues). Unless they are very lucky, they won't have a valid combination and it'll error. Where do i need to check if cookies have been disabled.. On their web browser :-) Not many people disable them these days. There are detection examples floating around, or you can write a page that uses cfcookie to set one, then forwards to a second page that (trys to) read them back. eliminate the tokens from the URL string.. Yes. -- Tom Chiverton Helping to interactively market internet initiatives on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279071 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID-CFTOKEN Major Issues. HELP!!!!
Please expand on this. I am a newly admin on CF, background is DB, so any suggestions on what I need to do and where those would be applied in the code. If you can provide explicit code for me to totally eliminate the use of Tokens in the URL.. I want to get the cfid/cftoken out my urls and still ahve the site work effectively. What would be my best solution... Asad Is there a message (comments) in here I am missing?? -Original Message- From: Asad Khan [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2007 10:26 AM To: CF-Talk Subject: Re: CFID-CFTOKEN Major Issues. HELP you use cookies instead of URL parameters. Within the CF Administrator, you can specify whether session management is enabled, what the default and maximum timeouts are, and in CFMX, whether you use J2EE or CF session tokens. Application.cfm as a relatively easy workaround. Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279084 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID-CFTOKEN Major Issues. HELP!!!!
Please expand on this. I am a newly admin on CF, background is DB, so any suggestions on what I need to do and where those would be applied in the code. If you can provide explicit code for me to totally eliminate the use of Tokens in the URL.. I want to get the cfid/cftoken out my urls and still ahve the site work effectively. What would be my best solution... Asad Is there a message (comments) in here I am missing?? -Original Message- From: Asad Khan [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2007 10:26 AM To: CF-Talk Subject: Re: CFID-CFTOKEN Major Issues. HELP you use cookies instead of URL parameters. Within the CF Administrator, you can specify whether session management is enabled, what the default and maximum timeouts are, and in CFMX, whether you use J2EE or CF session tokens. Application.cfm as a relatively easy workaround. Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279086 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFID-CFTOKEN Major Issues. HELP!!!!
How are you handling security now? Session variable? -Original Message- From: Asad Khan [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 23, 2007 8:27 PM To: CF-Talk Subject: CFID-CFTOKEN Major Issues. HELP I am having a huge problem right now, I have an application where I am using CFID/Cftoken as part of URL parameter. They are currently being maintained in the registry. One of my clients emailed the URL (entire URL) to another individual (who does not use this application at all) in totally different location. When that user clicked on the link, he was logged in as the Client and was able to access the entire system. Huge Security Issue here. What is the underlying cause of it? If I change the session management parameters though the CF Administrator to use cookies, is there other major work (code re-write) I need to do, since the application has been developed using cfids/cftokens in the URL. OR Can I set the addtoken=no in the cflocation and prevent the tokens from being append to URL.. If yes, are there any major repercussions. Will this work. Asad ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279033 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFID-CFTOKEN Major Issues. HELP!!!!
I am having a huge problem right now, I have an application where I am using CFID/Cftoken as part of URL parameter. They are currently being maintained in the registry. As an aside, you really don't want to store client data in the registry. Use a database instead. What is the underlying cause of it? CFID and CFTOKEN are used to uniquely identify a client. If two clients use the same values, they will appear to be the same client from your application's perspective. If I change the session management parameters though the CF Administrator to use cookies, is there other major work (code re-write) I need to do, since the application has been developed using cfids/cftokens in the URL. There is no session management parameter in the CF Administrator to let you use cookies instead of URL parameters. Within the CF Administrator, you can specify whether session management is enabled, what the default and maximum timeouts are, and in CFMX, whether you use J2EE or CF session tokens. If you're talking about client management, there is an option to use cookies to store the actual client data. This is somewhat independent of whether you use cookies or URL parameters as client tokens. If your application is specifically looking for URL.CFID and URL.CFTOKEN, you would need to rewrite your code if those variables didn't exist. You could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. OR Can I set the addtoken=no in the cflocation and prevent the tokens from being append to URL.. If yes, are there any major repercussions. Will this work. If you didn't specifically disable cookies, they probably are being set, in which case you can (usually) disable setting them in the URL. Check to see if cookies are being set. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279034 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFID CFTOKEN ...MSN and search engine listings..
There is nothing that requires you to pass CFID CFTOKEN in URL unless you are not using cookies or something. In CFLocation tags they even have a boolean attribute for this: cflocation url= addtoken=false / How are you doing session management? .. Ben Nadel Certified Advanced ColdFusion Developer www.bennadel.com -Original Message- From: D F [mailto:[EMAIL PROTECTED] Sent: Monday, October 02, 2006 11:37 AM To: CF-Talk Subject: CFID CFTOKEN ...MSN and search engine listings.. Hi there, Our SEO guy gave me the following message, wanted to see what the concensus was in the CF community in regards the CFID and CFTOKEN variables passed in urls could be causing a problem to the search engines ( MSN in particular ). Is there a way to disable this feature in CF? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255020 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFID CFTOKEN ...MSN and search engine listings..
There is nothing that requires you to pass CFID CFTOKEN in URL unless you are not using cookies or something. True, but what if you want to support users with cookies either on or off? My approach is to do a cookie check and add the CFID/CFTOKEN if they are turned off...but to also do a browser check (cgi.http_user_agent) and exclude any that have a common search engine string in them. That seems to do the trick 95% of the timeand is also useful for generating error messages (or not) as well, since some search engines seem particularly good at coming up with very misformed URLs. Mary Jo Sminkey http://www.cfwebstore.com CFWebstore, ColdFusion E-commerce. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255037 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFID CFTOKEN ...MSN and search engine listings..
Mary Jo, I like your approach. Nicely done. .. Ben Nadel Certified Advanced ColdFusion Developer www.bennadel.com -Original Message- From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED] Sent: Monday, October 02, 2006 12:48 PM To: CF-Talk Subject: Re: CFID CFTOKEN ...MSN and search engine listings.. There is nothing that requires you to pass CFID CFTOKEN in URL unless you are not using cookies or something. True, but what if you want to support users with cookies either on or off? My approach is to do a cookie check and add the CFID/CFTOKEN if they are turned off...but to also do a browser check (cgi.http_user_agent) and exclude any that have a common search engine string in them. That seems to do the trick 95% of the timeand is also useful for generating error messages (or not) as well, since some search engines seem particularly good at coming up with very misformed URLs. Mary Jo Sminkey http://www.cfwebstore.com CFWebstore, ColdFusion E-commerce. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255084 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID CFTOKEN ...MSN and search engine listings..
but to also do a browser check (cgi.http_user_agent) and exclude any that have a common search engine string in them. That seems to do the trick 95% of the time I've heard that this may cause penalties as far as ranking is concerned. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255089 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFID CFTOKEN ...MSN and search engine listings..
I've heard that this may cause penalties as far as ranking is concerned. Huh? Not including the CFID/CFTOKEN?? Why? If anything, it would *help* ranking. --- Mary Jo ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255092 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID CFTOKEN ...MSN and search engine listings..
I've heard that this may cause penalties as far as ranking is concerned. Huh? Not including the CFID/CFTOKEN?? Why? If anything, it would *help* ranking. --- Mary Jo No, providing different data to Google spiders. If being checked by another spider from Google ( to check consistency ) and if different. Could be taken as trying to scam the system. Just what I heard. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255094 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFID CFTOKEN ...MSN and search engine listings..
No, providing different data to Google spiders. If being checked by another spider from Google ( to check consistency ) and if different. Could be taken as trying to scam the system. I'm not sure you understand exactly what I'm saying. The data on the page is no different, it's just a matter of whether the spider will get a URL with the session identifiers on it or not. If you are doing a cookie detection, normally it will add the identifiers for spiders, since they don't use cookies. All I'm doing is detecting the spider and treating it as if it *does* have cookies turned on, and leaving them off. So it can check for consistency all it wants, nothing is going to change on the page. --- Mary Jo ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255100 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID CFTOKEN in URL (in CF5)
Paul Smith wrote: I'm re-doing a website to use Cookies to maintain state for sessions. I'm only setting cookies in the browser. I assume the coding below will delete cookies in the visitor's browser when they close it. Not interested at this time in setting any cookies on the visitor's hard drive. My application.cfm includes the following: cfapplication name=syp clientmanagement=Yes SessionManagement=yes setclientcookies=Yes CFCOOKIE NAME=CFID VALUE=#CFID#/ CFCOOKIE NAME=CFTOKEN VALUE=#CFTOKEN#/ But when the home page is opened the following URL appears in the browser window: http://dev.smarteryellowpages.com/index.cfm?CFID=49911CFTOKEN=63451286 How do I delete the display of CFID/CFTOKEN and their values in the URL? You realise that you're doing something that CF does itself when you've got session management on? CF stores those in cookies itself if it can, otherwise it maintains the session using URL rewriting, which is what you saw. However, if turns out that the browser accepts cookies, it stops using URL rewriting. Is there any particular reason why you're doing this? If it's that you want the contents of the session itself in cookies (thought I can't fathom why), then why not just use client variables? K. -- Keith Gaughan, Developer Digital Crew Ltd., Pembroke House, Pembroke Street, Cork, Ireland http://digital-crew.com/ ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192043 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CFID/CFTOKEN newbie question
Right, that's what I meant is the addtoken attribute. John -Original Message- From: Ubqtous [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 4:48 PM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question John, On 3/2/2004 at 16:41, you wrote: BJ And you have the option to add the token in cflocations or you can BJ just append #urltoken# to the end of the link. If client management is enabled in the application, the cflocation attribute addtoken=yes will append CFID/CFTOKEN automatically. ~ Ubqtous ~ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
cfcookie name=cookieTest value=test expires=never cfif COOKIE.cookieTest NEQ test cookies not enabled code here /cfif The cookie isn't actually set until the page request setting the cookie completes; however, Cold Fusion makes the cookie value available during the page request. This means that the check for the cookie value has to occur on a subsequent page request to be of use. While you're absolutely right about having to check for the cookie's existence on a subsequent page, whether CF makes the cookie value available during the page request is dependent on what version of CF you're using. It does this with CFMX, but I don't think it does with CF 5, and I'm pretty sure it doesn't with earlier versions. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
Well, something for everyone to consider is that there are government institutions who are locking down machines to the point that they won't accept cookies.I work for a gov't contractor doing stuff for the Navy, and we can't use cookies on our applications because of the new computer systems being installed (NMCI).I'm getting to the point now, that I'm thinking it might just be easier to do apps without using cookies.Why do a check for cookies and do one thing and without them do something else.If you're going to take the time to code something else, just go that way.Those are just my thoughts out of frustration for computers that don't accept cookies.It makes things so much easier. John Burns -Original Message- From: Howie Hamlin [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 4:50 PM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question Bah - that's what I thought.So, how do you determine if the user has cookies or not before you go through the trouble of adding them to the url? Thanks, Howie - Original Message - From: Burns, John To: CF-Talk Sent: Tuesday, March 02, 2004 4:41 PM Subject: RE: CFID/CFTOKEN newbie question And you have the option to add the token in cflocations or you can just append #urltoken# to the end of the link. John -Original Message- From: Jeff Garza [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 4:31 PM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question I beleive that the only solution you have is to pass #URLTOKEN# in every link on the site. Cheers, Jeff Garza Manager, Phoenix CFUG [EMAIL PROTECTED] - Original Message - From: Howie Hamlin To: CF-Talk Sent: Tuesday, March 02, 2004 2:25 PM Subject: CFID/CFTOKEN newbie question Is there a best practice for handling CFID/CFTOKEN for browsers w/o cookies? Thanks, Howie [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
I'm not sure that will work.If it's on the same page, all of that is processed on the CF side and it assumes that the cookie is set even though it hasn't made it back to the user's machine yet.You'd have to set the cookie on one page, and redirect to another page that checks to see if the cookie is still there and make the decision that way.Note that you can't cfcookie followed by a cflocation in anything before CFMX 6.1. John Burns -Original Message- From: Stephen Hait [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 5:16 PM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question Bah - that's what I thought.So, how do you determine if the user has cookies or not before you go through the trouble of adding them to the url? cfcookie name=cookieTest value=test expires=never cfif COOKIE.cookieTest NEQ test cookies not enabled code here /cfif HTH, Stephen [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
John, On 3/3/2004 at 09:32, you wrote: BJ Right, that's what I meant is the addtoken attribute. Sorry, my mental syntax checker was a little too literal when I read your comment :) ~ Ubqtous ~ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
Dave, On 3/3/2004 at 09:43, you wrote: DW While you're absolutely right about having to check for the DW cookie's existence on a subsequent page, whether CF makes the DW cookie value available during the page request is dependent on DW what version of CF you're using. It does this with CFMX, but I DW don't think it does with CF 5, and I'm pretty sure it doesn't with DW earlier versions. I am 99.9% sure that CF5 allows you to access a cookie value on the same page request that the cookie is set. I am not so sure about CF4.5-... ~ Ubqtous ~ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
I agree.I am 99.9% positive that CF5 allowed that.I went through the whole cookie checking dilemma a couple of years ago and I was using CF5 and I'm pretty sure this was true. John -Original Message- From: Ubqtous [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 10:44 AM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question Dave, On 3/3/2004 at 09:43, you wrote: DW While you're absolutely right about having to check for the cookie's DW existence on a subsequent page, whether CF makes the cookie value DW available during the page request is dependent on what version of CF DW you're using. It does this with CFMX, but I don't think it does with DW CF 5, and I'm pretty sure it doesn't with earlier versions. I am 99.9% sure that CF5 allows you to access a cookie value on the same page request that the cookie is set. I am not so sure about CF4.5-... ~ Ubqtous ~ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
I beleive that the only solution you have is to pass #URLTOKEN# in every link on the site. Cheers, Jeff Garza Manager, Phoenix CFUG [EMAIL PROTECTED] - Original Message - From: Howie Hamlin To: CF-Talk Sent: Tuesday, March 02, 2004 2:25 PM Subject: CFID/CFTOKEN newbie question Is there a best practice for handling CFID/CFTOKEN for browsers w/o cookies? Thanks, Howie [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
And you have the option to add the token in cflocations or you can just append #urltoken# to the end of the link. John -Original Message- From: Jeff Garza [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 4:31 PM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question I beleive that the only solution you have is to pass #URLTOKEN# in every link on the site. Cheers, Jeff Garza Manager, Phoenix CFUG [EMAIL PROTECTED] - Original Message - From: Howie Hamlin To: CF-Talk Sent: Tuesday, March 02, 2004 2:25 PM Subject: CFID/CFTOKEN newbie question Is there a best practice for handling CFID/CFTOKEN for browsers w/o cookies? Thanks, Howie [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
John, On 3/2/2004 at 16:41, you wrote: BJ And you have the option to add the token in cflocations or you can BJ just append #urltoken# to the end of the link. If client management is enabled in the application, the cflocation attribute addtoken=yes will append CFID/CFTOKEN automatically. ~ Ubqtous ~ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
Bah - that's what I thought.So, how do you determine if the user has cookies or not before you go through the trouble of adding them to the url? Thanks, Howie - Original Message - From: Burns, John To: CF-Talk Sent: Tuesday, March 02, 2004 4:41 PM Subject: RE: CFID/CFTOKEN newbie question And you have the option to add the token in cflocations or you can just append #urltoken# to the end of the link. John -Original Message- From: Jeff Garza [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 4:31 PM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question I beleive that the only solution you have is to pass #URLTOKEN# in every link on the site. Cheers, Jeff Garza Manager, Phoenix CFUG [EMAIL PROTECTED] - Original Message - From: Howie Hamlin To: CF-Talk Sent: Tuesday, March 02, 2004 2:25 PM Subject: CFID/CFTOKEN newbie question Is there a best practice for handling CFID/CFTOKEN for browsers w/o cookies? Thanks, Howie [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
I have client management enabled but I don't want to see the CFID/CFTOKEN in the URL unless necessary.What's the best way of testing whether the client supports cookies before adding the URLTOKEN to every link? Thanks, Howie - Original Message - From: Ubqtous To: CF-Talk Sent: Tuesday, March 02, 2004 4:48 PM Subject: Re: CFID/CFTOKEN newbie question John, On 3/2/2004 at 16:41, you wrote: BJ And you have the option to add the token in cflocations or you can BJ just append #urltoken# to the end of the link. If client management is enabled in the application, the cflocation attribute addtoken=yes will append CFID/CFTOKEN automatically. ~ Ubqtous ~ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
Bah - that's what I thought.So, how do you determine if the user has cookies or not before you go through the trouble of adding them to the url? cfcookie name=cookieTest value=test expires=never cfif COOKIE.cookieTest NEQ test cookies not enabled code here /cfif HTH, Stephen [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
Here's a _javascript_ function I wrote for you so you can automatically
pop the URLToken on all links for a given host.It may do the trick for
you.Just include it on every page (works well as a footer include or
running on a body tag's onLoad event.)
cfoutput
script
AppendURLTokens('HOST NAME (I.e.) Domain Name Goes
Here','#URLToken#);
/script
/cfoutput
script language=_javascript_
function AppendURLTokens(host,urltoken) {
var linkRef;
for(i=0;idocument.links.length;i++) {
linkRef=document.links[i];
if(linkRef.host==host) {
if(linkRef.search=='') {
linkRef.href="">
}
else {
linkRef.href="">
}
}
}
}
/script
-Original Message-
From: Howie Hamlin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 3:52 PM
To: CF-Talk
Subject: Re: CFID/CFTOKEN newbie question
I have client management enabled but I don't want to see the
CFID/CFTOKEN in the URL unless necessary.What's the best way of
testing whether the client supports cookies before adding the URLTOKEN
to every link?
Thanks,
Howie
- Original Message -
From: Ubqtous
To: CF-Talk
Sent: Tuesday, March 02, 2004 4:48 PM
Subject: Re: CFID/CFTOKEN newbie question
John,
On 3/2/2004 at 16:41, you wrote:
BJ And you have the option to add the token in cflocations or you can
BJ just append #urltoken# to the end of the link.
If client management is enabled in the application, the cflocation
attribute addtoken=yes will append CFID/CFTOKEN automatically.
~ Ubqtous ~
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
RE: CFID/CFTOKEN newbie question
Oops I missed an apostrophe in the function call: here's the fix:
cfoutput
script
AppendURLTokens('HOST NAME (I.e.) Domain Name Goes
Here','#URLToken#');
/script
/cfoutput
-Original Message-
From: Brendan Avery [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 4:27 PM
To: CF-Talk
Subject: RE: CFID/CFTOKEN newbie question
Here's a _javascript_ function I wrote for you so you can automatically
pop the URLToken on all links for a given host.It may do the trick for
you.Just include it on every page (works well as a footer include or
running on a body tag's onLoad event.)
cfoutput
script
AppendURLTokens('HOST NAME (I.e.) Domain Name Goes
Here','#URLToken#);
/script
/cfoutput
script language=_javascript_
function AppendURLTokens(host,urltoken) {
var linkRef;
for(i=0;idocument.links.length;i++) {
linkRef=document.links[i];
if(linkRef.host==host) {
if(linkRef.search=='') {
linkRef.href="">
}
else {
linkRef.href="">
}
}
}
}
/script
-Original Message-
From: Howie Hamlin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 3:52 PM
To: CF-Talk
Subject: Re: CFID/CFTOKEN newbie question
I have client management enabled but I don't want to see the
CFID/CFTOKEN in the URL unless necessary.What's the best way of
testing whether the client supports cookies before adding the URLTOKEN
to every link?
Thanks,
Howie
- Original Message -
From: Ubqtous
To: CF-Talk
Sent: Tuesday, March 02, 2004 4:48 PM
Subject: Re: CFID/CFTOKEN newbie question
John,
On 3/2/2004 at 16:41, you wrote:
BJ And you have the option to add the token in cflocations or you can
BJ just append #urltoken# to the end of the link.
If client management is enabled in the application, the cflocation
attribute addtoken=yes will append CFID/CFTOKEN automatically.
~ Ubqtous ~
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
RE: CFID/CFTOKEN newbie question
Bah - that's what I thought.So, how do you determine if the user has cookies or not before you go through the trouble of adding them to the url? cfcookie name=cookieTest value=test expires=never cfif COOKIE.cookieTest NEQ test cookies not enabled code here /cfif You can't effectively test for the existence of a cookie on the same page in which you set the cookie. You can only test for its existence on subsequent pages. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
You have to pass around cfid/cftoken in the URL, but I believe that URLSessionFormat() will take some of the tedium out of it: http://livedocs.macromedia.com/coldfusion/6/CFML_Reference/functions-pt2113.htm#4471249 Jamie On Tue, 2 Mar 2004 16:25:11 -0500, in cf-talk you wrote: Is there a best practice for handling CFID/CFTOKEN for browsers w/o cookies? Thanks, Howie [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
Stephen, On 3/2/2004 at 17:15, you wrote: SH cfcookie name=cookieTest value=test expires=never SH cfif COOKIE.cookieTest NEQ test SHcookies not enabled code here SH /cfif The cookie isn't actually set until the page request setting the cookie completes; however, Cold Fusion makes the cookie value available during the page request. This means that the check for the cookie value has to occur on a subsequent page request to be of use. ~ Ubqtous ~ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
is URLSessionFormat() for CF6+ only, or did it show up in CF5? -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
MX only.When I had to write for both, I wrote a very simple UDF so that it worked in the code. Basically, look to see if the contents contain a '?'.If so, append the CFID and CFTOKEN with ampersands.Else, the first one gets a questionmark. --Ben Doom Matt Robertson wrote: is URLSessionFormat() for CF6+ only, or did it show up in CF5? -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
I don¹t see it in the CF5 Reference BZaccheo On 3/2/04 3:03 PM, Matt Robertson [EMAIL PROTECTED] wrote: is URLSessionFormat() for CF6+ only, or did it show up in CF5? -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
It was introduced in CFMX. http://www.macromedia.com/support/coldfusion/ts/documents/cfmlhistory.htm http://www.macromedia.com/support/coldfusion/ts/documents/cfmlhistory.htm _ From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 6:04 PM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question is URLSessionFormat() for CF6+ only, or did it show up in CF5? -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
Actually no its not, you can also pass them via a hidden input into forms instead of that. Regards Andrew Scott Technical Consultant NuSphere Pty Ltd Level 2/33 Bank Street South Melbourne, Victoria, 3205 Phone: 03 9686 0485-Fax: 03 9699 7976 _ From: Jeff Garza [mailto:[EMAIL PROTECTED] Sent: Wednesday, 3 March 2004 8:31 AM To: CF-Talk Subject: Re: CFID/CFTOKEN newbie question I beleive that the only solution you have is to pass #URLTOKEN# in every link on the site. Cheers, Jeff Garza Manager, Phoenix CFUG [EMAIL PROTECTED] - Original Message - From: Howie Hamlin To: CF-Talk Sent: Tuesday, March 02, 2004 2:25 PM Subject: CFID/CFTOKEN newbie question Is there a best practice for handling CFID/CFTOKEN for browsers w/o cookies? Thanks, Howie _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID/CFTOKEN newbie question
Bah - that's what I thought.So, how do you determine if the user has cookies or not before you go through the trouble of adding them to the url? cfcookie name=cookieTest value=test expires=never cfif COOKIE.cookieTest NEQ test cookies not enabled code here /cfif You can't effectively test for the existence of a cookie on the same page in which you set the cookie. You can only test for its existence on subsequent pages. Dave Watts, CTO, Fig Leaf Software Ah! Right. Thanks for making that point. Stephen [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: CFID/CFTOKEN newbie question
Stephen, On 3/2/2004 at 17:15, you wrote: SH cfcookie name=cookieTest value=test expires=never SH cfif COOKIE.cookieTest NEQ test SHcookies not enabled code here SH /cfif The cookie isn't actually set until the page request setting the cookie completes; however, Cold Fusion makes the cookie value available during the page request. This means that the check for the cookie value has to occur on a subsequent page request to be of use. ~ Ubqtous ~ Thanks for clarifying that. Stephen [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID, CFTOKEN contains invalid characters
To follow up on this, we've now figured out that all of the bad requests are coming from a single source, the WiseNut search engine crawler.So, we can work towards clearing up the problem but it would still be nice to know what, exactly, is happening here. Thanks. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: [EMAIL PROTECTED] WWW: http://www.evoch.com/ -Original Message- From: Mosh Teitelbaum [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 21, 2004 4:02 PM To: CF-Talk Subject: CFID, CFTOKEN contains invalid characters All: I'm working on a site that used to be hosted on a CF5 system.It was recently migrated over to a new host running on a CFMX system and now the CF logs are showing sporadic error messages like the following: Error,jrpp-3345,01/20/04,05:31:01,foo,CFID, CFTOKEN contains invalid characters.This exception is caused by either broken links, or security attacks.The invalid id is d583cf74ea9b3527-337A0D57-9D87-71FD- 2069F8FAF5AF2BD0/ The specific sequence of files included or processed is: E:\foo.com\webroot\index.cfm I've tried sticking the supplied invalid CFTOKEN into the URL on a CF5 box and it handles it without a problem (i.e., http://www.foo.com/index.cfm?CFID=6CFTOKEN=79f85dc35bd10ce1-273F1CD8-9F31-E 3A6-B82095AB1C2B166F/) but doing so on a CFMX box causes it to barf.Simply removing the trailing slash from the URL makes everything all better on CFMX. The only thing I could think of is that the CFID/CFTOKEN (which are stored as cookies) are holdovers from the previous site.Is it possible that the CFTOKEN mechanism changed from CF5 to CFMX so that it no longer supports foreslashes in the value? BTW, I've already checked the archives about this and the only thing I could find about it doesn't seem to apply here. TIA -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: [EMAIL PROTECTED] WWW: http://www.evoch.com/ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID, CFTOKEN contains invalid characters
The only thing I could think of is that the CFID/CFTOKEN (which are stored as cookies) are holdovers from the previous site. Is it possible that the CFTOKEN mechanism changed from CF5 to CFMX so that it no longer supports foreslashes in the value? Yes, that's certainly possible. It shouldn't have supported them before, with GUID/UUID values for CFTOKEN, since that's not a valid character within a UUID. I'd recommend that you try stripping the character in cases where you get this error. You should probably be able to do this within an exception handling page or within your site-wide error handler, if not within the actual page with the error (probably Application.cfm?) Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID, CFTOKEN contains invalid characters
Thanks Dave.I'll look into that. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: [EMAIL PROTECTED] WWW: http://www.evoch.com/ -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 21, 2004 5:11 PM To: CF-Talk Subject: RE: CFID, CFTOKEN contains invalid characters The only thing I could think of is that the CFID/CFTOKEN (which are stored as cookies) are holdovers from the previous site. Is it possible that the CFTOKEN mechanism changed from CF5 to CFMX so that it no longer supports foreslashes in the value? Yes, that's certainly possible. It shouldn't have supported them before, with GUID/UUID values for CFTOKEN, since that's not a valid character within a UUID. I'd recommend that you try stripping the character in cases where you get this error. You should probably be able to do this within an exception handling page or within your site-wide error handler, if not within the actual page with the error (probably Application.cfm?) Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: CFID CFTOKEN Unexplicably incrementing
I am not sure what you are referring to with XXautotoken. I just use session.URLToken which works perfectly(which I copy to variable.URLToken in the application.cfm): form action=../action/getprodact.cfm?#URLToken# method=post enctype=multipart/form-data name=findprodfrm Andy -Original Message- From: Jas Panesar [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 8:04 PM To: CF-Talk Subject: CFID CFTOKEN Unexplicably incrementing Hi Guys, I am having a problem with one of my session applications. Basically, I am cutting out the cookie that is planted by cfapplication, in lieu of the IE6 Third-Party cookie denial by default. (My code is generating a part of a website for another domain.) MY APPLICATION.CFM does the following: cfapplication name=theAPP clientmanagement=Yes sessionmanagement=Yes setclientcookies=No sessiontimeout=#CreateTimeSpan(0,0,20,0)# applicationtimeout=#CreateTimeSpan(1,0,20,0)# cflock timeout=30 throwontimeout=Yes name=SessionLock cfparam name=Session.autotoken default=? CFID=#session.cfid#CFTOKEN=#session.cftoken# cfparam name=Session.XXautotoken default=CFID=#session.cfid#CFTOKEN=#session.cftoken# /cflock SO, at this point, the CFID and CFTOKEN should be stored in session.autotoken and session.XXautotoken respectively, correct? (I am referencing http://www.cfhub.com/adavanced/managing_state/cookies.cfm) Now, when the application goes into the main menu after logging in to the system and creating the session, I have it generate a link with the #XXAutoToken# embedded. When I go to browse it on the browser, do a View Source, it shows the CFID as being incremented by 1 (+1). Meaning, if my CFID in my Address bar in my browser is 28303, the one embedded in the page it self is 28304. Also, obviously, it changes the CFTOKEN. To me, it seems to be regenerating the CFID / CFTOKEN somehow. I am sure someone has seen this already, thoughts / comments would be appreciated. Thanks in Advance, Jas FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CFID CFTOKEN Unexplicably incrementing
That login script... is it using a CFLOCATION? Does that CFLOCATION include an AddToken=Yes attribute? That script was originally designed to work in conjunction with cookies... I didn't actually see the IsDefined(Cookie.CFTOKEN) bit in your post... although the rest looks familiar :-) Now, when the application goes into the main menu after logging in to the system and creating the session, I have it generate a link with the #XXAutoToken# embedded. SO, at this point, the CFID and CFTOKEN should be stored in session.autotoken and session.XXautotoken respectively, correct? (I am referencing http://www.cfhub.com/adavanced/managing_state/cookies.cfm) __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFID CFTOKEN
1) I have an application with lots of different user profiles. If I log in as one user, and a colleague logs in as another user and changes his CFID and CFTOKEN to be the same as mine (for testing purposes), he is instantly given full access to my session. Is there any way I can stop this from happening (for example log them out if their CFID or TOKEN changes)? The short answer is no. CF uses CFID and CFTOKEN to track a user - if you change them, CF will think you're a different user. You might set an additional cookie, and make sure that the cookie value corresponds with what you expect, but if you're passing CFID and CFTOKEN on the URL to avoid using cookies, that won't help much. Likewise, you might track the user's IP address in the session, and test to ensure that the user is at the same address as with previous requests, but in some cases a user's IP address does legitimately change over the lifetime of a session - AOL users, for example, may have many different addresses during a single session. 2) Does anyone know any JavaScript that will stop a user from clicking the Close button on their browser, and bring up an alert telling them they must log out? No, there's nothing to stop a user from closing whatever applications they like, although you might make it as difficult as you can with onUnload events and the like. For good examples of this kind of stuff, just browse a few porn sites - those guys know their JavaScript! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CFID CFTOKEN
You can put some code in your Application.cfm to automatically log out a user if they close a browser: cflock scope = Session timeout = 30 type = readonly CFCOOKIE NAME=CFID VALUE=#SESSION.CFID# CFCOOKIE NAME=CFTOKEN VALUE=#SESSION.CFTOKEN# /cflock tom www.basic-ultradev.com 2) Does anyone know any JavaScript that will stop a user from clicking the Close button on their browser, and bring up an alert telling them they must log out? ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CFID CFTOKEN
Ryan, I have two questions that are slightly related: 1) I have an application with lots of different user profiles. If I log in as one user, and a colleague logs in as another user and changes his CFID and CFTOKEN to be the same as mine (for testing purposes), he is instantly given full access to my session. Is there any way I can stop this from happening (for example log them out if their CFID or TOKEN changes)? Simple solution, but easy to get around is to compare... No its gone... I forget what you're supposed to do. Whoops Sorry... 2) Does anyone know any JavaScript that will stop a user from clicking the Close button on their browser, and bring up an alert telling them they must log out? Use the onUnload element on the BODY tag of your pages to call a page that will log the user out automatically. Regards Stephen ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CFID CFTOKEN
It really is not much of a security issue, with CF using both the CFTOKEN CFID it would be a far fetched occurence that someone can guess the right sequence of numbers to use. If it were possible then all these e-commerce sites would be in dire jeopardy. DB - Original Message - From: tom muck [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, November 14, 2001 8:02 AM Subject: Re: CFID CFTOKEN You can put some code in your Application.cfm to automatically log out a user if they close a browser: cflock scope = Session timeout = 30 type = readonly CFCOOKIE NAME=CFID VALUE=#SESSION.CFID# CFCOOKIE NAME=CFTOKEN VALUE=#SESSION.CFTOKEN# /cflock tom www.basic-ultradev.com 2) Does anyone know any JavaScript that will stop a user from clicking the Close button on their browser, and bring up an alert telling them they must log out? ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFID CFTOKEN
I seem to remember that there is a way of forcing CF to create the CFID (or was it CFTOKEN) as a UUID.. that should stop people guessing... or at the very least make it harder. -Original Message- From: Douglas L. Brown [mailto:[EMAIL PROTECTED]] Sent: 14 November 2001 16:27 To: CF-Talk Subject: Re: CFID CFTOKEN It really is not much of a security issue, with CF using both the CFTOKEN CFID it would be a far fetched occurence that someone can guess the right sequence of numbers to use. If it were possible then all these e-commerce sites would be in dire jeopardy. DB - Original Message - From: tom muck [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, November 14, 2001 8:02 AM Subject: Re: CFID CFTOKEN You can put some code in your Application.cfm to automatically log out a user if they close a browser: cflock scope = Session timeout = 30 type = readonly CFCOOKIE NAME=CFID VALUE=#SESSION.CFID# CFCOOKIE NAME=CFTOKEN VALUE=#SESSION.CFTOKEN# /cflock tom www.basic-ultradev.com 2) Does anyone know any JavaScript that will stop a user from clicking the Close button on their browser, and bring up an alert telling them they must log out? ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFID CFTOKEN
Hi Ryan, All you need do is run a few lines of code at the top of each page (or even in the application.cfm) to check and see if the cfid and cftoken values passed via the url are in fact the same as the session.cfid and session.cftoken variables. If different, then relocate to a logout script. something like this would suffice: cfif url.cfid neq #session.cfid# OR url.cftoken neq #session.token# cflocation url=logout.cfm /cfif You could also add a few other variables in there to compare, such as the loginID of the user, etc. You can even extend the logout.cfm page to include some sort of logging in order to monitor violations of security within your app by recording the violating user's details and time of violaton etc. This way you could apprehend offending users with concrete evidence. HTH, Dave -Original Message- From: Ryan Edgar [mailto:[EMAIL PROTECTED]] Sent: 14 November 2001 15:35 To: CF-Talk Subject: CFID CFTOKEN I have two questions that are slightly related: 1) I have an application with lots of different user profiles. If I log in as one user, and a colleague logs in as another user and changes his CFID and CFTOKEN to be the same as mine (for testing purposes), he is instantly given full access to my session. Is there any way I can stop this from happening (for example log them out if their CFID or TOKEN changes)? 2) Does anyone know any JavaScript that will stop a user from clicking the Close button on their browser, and bring up an alert telling them they must log out? TIA Ryan Edgar Web Applications Developer BizNet Head Office 133-137 Lisburn Road, Belfast Northern Ireland BT9 7AG T +44 (0) 28 9022 3224 F +44 (0) 28 9022 3223 E [EMAIL PROTECTED] W biznet-solutions.com ** If you are not the intended recipient, or person responsible for delivering it to the intended recipient, you are not authorized to and must not disclose, copy, distribute or retain this message or any part of it. The opinions / views / comments on this e-mail do not necessarily reflect any views or policies of biznet The recipient should check this email and any attachments for the presence of viruses. biznet accepts no liability for any damage caused by any virus transmitted by this email. biznet 2001. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: cfid/cftoken
thanks for the info, but i still have one question.. when a user goes to another cf server with a cfid/token from the first server... does the new server make a new cfid/cftoken or does it use the one from the other server? If it does make a new one, does that overwrite the first one? thanks Ken At 11:08 AM 4/13/01 -0500, you wrote: Ken, The cfid is incremented by one per user for that particular server. The cftoken is a radomly generated number. By putting the two together you get a unique id that in theory is unique to each individual user, but I would not suggest trying to use that in a multiserver enviroment. I have seen problems in the past using a domain cookie to span multiple servers. I cluster that "sticks" an individual to a particular server once they have started there session is the best way to go, if possible. CW -Original Message- From: Ken Beard [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 1:52 PM To: CF-Talk Subject: cfid/cftoken does cfid relate to the application and cftoken relate to the individual user? or does each user get one urltoken variable (cfid+cftoken) and that is their identity for all applications on that server? what about if they're using multiple cf servers? does cfid relate to the id of that server? or would the domain of the cookie handle that? - Ken Beard Manager, Application Development Stone Ground Solutions 5100 West Kennedy Blvd, Suite 430 Tampa FL 33602 813.387.1235 voice 866.767.4051 toll free 813.387.1237 fax www.stoneground.com ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: cfid/cftoken
Ken, The cfid is incremented by one per user for that particular server. The cftoken is a radomly generated number. By putting the two together you get a unique id that in theory is unique to each individual user, but I would not suggest trying to use that in a multiserver enviroment. I have seen problems in the past using a domain cookie to span multiple servers. I cluster that "sticks" an individual to a particular server once they have started there session is the best way to go, if possible. CW -Original Message- From: Ken Beard [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 1:52 PM To: CF-Talk Subject: cfid/cftoken does cfid relate to the application and cftoken relate to the individual user? or does each user get one urltoken variable (cfid+cftoken) and that is their identity for all applications on that server? what about if they're using multiple cf servers? does cfid relate to the id of that server? or would the domain of the cookie handle that? - Ken Beard Manager, Application Development Stone Ground Solutions 5100 West Kennedy Blvd, Suite 430 Tampa FL 33602 813.387.1235 voice 866.767.4051 toll free 813.387.1237 fax www.stoneground.com ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFID / CFToken
The CFID and CFTOKEN are NOT automatically appended to the URL when a page is served. I guess you really want to find out how to stop CFID CFTOKEN being passed to the browser as cookies as that is how they are passed by default. Firstly, make sure SETCLIENTCOOKIES is set to NO in your CFAPPLICATION. Secondly, if the above attribute was at any point set to on then any cookies that were set then will still get passed back with browser requests. To stop this you will have to delete them from ther browser by using CFCOOKIE name="cfid" expires="now" ditto for cftoken. -Original Message- From: Adkins, Randy [mailto:[EMAIL PROTECTED]] Sent: 26 March 2001 17:22 To: CF-Talk Subject: CFID / CFToken Can anyone point me to a place I can find out how to STOP the CFID/CFTOKEN from being appended to the URL when pages are served to the browser? Thanks. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFID / CFToken
if, by chance, this is happening as a result of using CFLOCATION, set ADDTOKEN=NO. -Original Message- From: Steve Martin [mailto:[EMAIL PROTECTED]] Sent: Monday, March 26, 2001 8:52 AM To: CF-Talk Subject: RE: CFID / CFToken The CFID and CFTOKEN are NOT automatically appended to the URL when a page is served. I guess you really want to find out how to stop CFID CFTOKEN being passed to the browser as cookies as that is how they are passed by default. Firstly, make sure SETCLIENTCOOKIES is set to NO in your CFAPPLICATION. Secondly, if the above attribute was at any point set to on then any cookies that were set then will still get passed back with browser requests. To stop this you will have to delete them from ther browser by using CFCOOKIE name="cfid" expires="now" ditto for cftoken. -Original Message- From: Adkins, Randy [mailto:[EMAIL PROTECTED]] Sent: 26 March 2001 17:22 To: CF-Talk Subject: CFID / CFToken Can anyone point me to a place I can find out how to STOP the CFID/CFTOKEN from being appended to the URL when pages are served to the browser? Thanks. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFID-CFTOKEN Confusion (newbie)
I have my own question that's somewhat related to this thread. Is there any way that I can save the CFID and CFTOKEN into a database? Please let me know. Thanks in advance. Scott Wolf Goodfriend Computer Training -Original Message- From: Aidan Whitehall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 08, 2000 1:13 PM To: CF-Talk Subject: RE: CFID-CFTOKEN Confusion (newbie) is it possible that two (or more) users have the same cfidcftoken ? cfif yes Wich is the best way to identify a (unique) user session ? No. It's safe to assume that every user is assigned (and subsequently returns) a unique CFID and CFTOKEN combination. In fact, if you use session variables, ColdFusion makes exactly that assumption and uses the CFID/CFTOKEN pair sent by the browser to marry up browser requests with session variables previously set on the server. -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: CFID-CFTOKEN Confusion (newbie)
To store these little beauties you first need to specify in CF Administartor that you wish to store Client variables in a datasource and not in the default Registry. See CF Guides for examples on doing this.. Nick Betts Software Engineer PoulterNet, Leeds, UK -Original Message- From: Scott Wolf [mailto:[EMAIL PROTECTED]] Sent: 09 November 2000 13:58 To: CF-Talk Subject: RE: CFID-CFTOKEN Confusion (newbie) I have my own question that's somewhat related to this thread. Is there any way that I can save the CFID and CFTOKEN into a database? Please let me know. Thanks in advance. Scott Wolf Goodfriend Computer Training -Original Message- From: Aidan Whitehall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 08, 2000 1:13 PM To: CF-Talk Subject: RE: CFID-CFTOKEN Confusion (newbie) is it possible that two (or more) users have the same cfidcftoken ? cfif yes Wich is the best way to identify a (unique) user session ? No. It's safe to assume that every user is assigned (and subsequently returns) a unique CFID and CFTOKEN combination. In fact, if you use session variables, ColdFusion makes exactly that assumption and uses the CFID/CFTOKEN pair sent by the browser to marry up browser requests with session variables previously set on the server. -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: CFID-CFTOKEN Confusion (newbie)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Actually, it is entirely possible that two (or more) browsers could share the same CFID:CFTOKEN. It *shouldn't* happen, but flaws in the way CF handles these tokens allows it to happen under certain circumstances. CFID:CFTOKEN can be passed in the QueryString, in forms, or via cookies. It's fairly easy for someone to accidently cutpaste a URL to someone else which includes their CFID:CFTOKEN in the URL. Now when the second user goes to the page w/ the CFID:CFTOKEN of the other user, CF will send back a cookie to the second user which permanently places the first user's CFID:CFTOKEN into the second user's cookie store. Now you've got two users using the same CFID:CFTOKEN and essentially sharing one CF Session. When would CFID:CFTOKEN be in the URL to be copied pasted? If you user CFLOCATION anywhere in your site and you didn't put the addtoken="No" parameter in the tag, then every CFLOCATION call will append the CFID:CFTOKEN to the URL. We had that exact problem when one of our admins accidently pasted a URL into our What's New database. Now every member who clicked on the link from the What's New page assumed the session of the admin. And since there were so many people accessing the site under the same session, the session never timed out. We had people accessing our entire site for free with Admin rights. It was a MESS Best regards, Zac Bedell Zachary S. Bedell, Chief Technology Officer, Adirondack Technologies, Inc. Please include original message in any replies -- I get a lot of email every day, and I have a REALLY bad memory... So I don't always remember everything that was said. Thanks! -Original Message- From: Aidan Whitehall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 08, 2000 1:13 PM To: CF-Talk Subject: RE: CFID-CFTOKEN Confusion (newbie) is it possible that two (or more) users have the same cfidcftoken ? cfif yes Wich is the best way to identify a (unique) user session ? No. It's safe to assume that every user is assigned (and subsequently returns) a unique CFID and CFTOKEN combination. In fact, if you use session variables, ColdFusion makes exactly that assumption and uses the CFID/CFTOKEN pair sent by the browser to marry up browser requests with session variables previously set on the server. -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 -- -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBOgrGBqvhLS1aWPxeEQKcHQCfXoAfmVbW/nlCyH65s6N5fjQxEWkAniZp qVOPvatye12gQPtglCJGq6NQ =2wBg -END PGP SIGNATURE- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: CFID-CFTOKEN Confusion (newbie)
is it possible that two (or more) users have the same cfidcftoken ? cfif yes Wich is the best way to identify a (unique) user session ? No. It's safe to assume that every user is assigned (and subsequently returns) a unique CFID and CFTOKEN combination. In fact, if you use session variables, ColdFusion makes exactly that assumption and uses the CFID/CFTOKEN pair sent by the browser to marry up browser requests with session variables previously set on the server. -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
Re: CFID, CFTOKEN, and Forms
make your form action look like this... FOR Session Variables: action="index.cfm?cfoutput#session.urltoken#/cfouput" FOR Client Variables action="index.cfm?cfoutput#urltoken#/cfouput" - Original Message - From: "Chris Farrugia" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 27, 2000 5:47 PM Subject: CFID, CFTOKEN, and Forms If I'm passing CFID and CFTOKEN through the URL, and I use a form, will it automatically pass it when the form is submitted or do I have to do something special to get that to pass to the next page? -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: CFID/CFTOKEN
Ron, CFID/CFTOKEN variables get created when/if you enable session or client variables in your application (aka session management). You would do this by using the CAPPLICATION tag, usually in application.cfm. These vars uniquely identify the user/session and need to be passed around with every request (via either cookie, URL, or form values). The ADDTOKEN attribute of CFLOCATION will append the CFID/CFTOKEN variables to the new location URL if, and _only if_, you have already enabled client/session variables for your application. If you don't use session management, this attribute will have no effect, but is best set to "no" or left out entirely. Hope that helps, -Max At 5/7/2000 12:28 AM -0700, you wrote: I have some old code that's using cflocation in the menu meta data. I don't utilize the cfif/cftoken values that get generated from the cflocation tag, so I set the "tokens" parameter to no. What impact does cfid/cftoken have on the site/server if I just let them be? Do they get stored or use added memory by being generated? I'd like to write the most efficient code I can (since I've got the time to do so). Can anyone help? Thanks Ron -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: CFID/CFTOKEN as a Unique DB Identifier
How would you create a randomly generated alpha-numeric ( non duplicated) user_id / access code using SQL7 server syntax. Well, this isn't SQL server syntax, but I often use a varchar (35) field in the table and populate it with the result of the CF function #creatuuid()#. This creates a "Universally-Unique" id value with a mask of ---. It's a handy thing, but make sure you are running at least CF 4.01. CreateUUID() was introduced in that version. - Sean ~ Sean Daniels Manager of Engineering DealStream, Inc. [EMAIL PROTECTED] ~ tel: 207.439.6030 cel: 978.764.0799 Fax: 240.269.6319 -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: CFID/CFTOKEN
In the CF Admin section, you can "reap" the CFID/CFTOKENS after a select number of days. -Original Message- From: Pete Freitag [mailto:[EMAIL PROTECTED]] Sent: Monday, March 27, 2000 11:55 PM To: [EMAIL PROTECTED] Subject: RE: CFID/CFTOKEN have you tried cfregistry _ Pete Freitag CFDEV.COM Cold Fusion Developer Resources http://www.cfdev.com/ -Original Message- From: paul smith [mailto:[EMAIL PROTECTED]] Sent: Monday, March 27, 2000 10:05 PM To: [EMAIL PROTECTED] Subject: CFID/CFTOKEN Is there an easy way to remove *many* CFID/CFTOKEN entries from the Registry? best, paul -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: CFID/CFTOKEN
Where is that? I have timeout set to 20 minutes. But that doesn't delete the registry entry. best, paul At 12:17 AM 3/28/2000 -0800, you wrote: In the CF Admin section, you can "reap" the CFID/CFTOKENS after a select number of days. -Original Message- From: Pete Freitag [mailto:[EMAIL PROTECTED]] Sent: Monday, March 27, 2000 11:55 PM To: [EMAIL PROTECTED] Subject: RE: CFID/CFTOKEN have you tried cfregistry _ Pete Freitag CFDEV.COM Cold Fusion Developer Resources http://www.cfdev.com/ -Original Message- From: paul smith [mailto:[EMAIL PROTECTED]] Sent: Monday, March 27, 2000 10:05 PM To: [EMAIL PROTECTED] Subject: CFID/CFTOKEN Is there an easy way to remove *many* CFID/CFTOKEN entries from the Registry? best, paul -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: CFID/CFTOKEN
Where is that? I have timeout set to 20 minutes. But that doesn't delete the registry entry. If you look on the same variables page you'll see the setting for storage of client variables. You should already have an entry for the Registry. Click on this and you'll get a page that allows you to set how often unused client variables are purged from the registry. The default is 90 days. Hope this helps. Regards Stephen -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
