RE: CFID-CFTOKEN Confusion (newbie)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Actually, it is entirely possible that two (or more) browsers could share the same CFID:CFTOKEN. It *shouldn't* happen, but flaws in the way CF handles these tokens allows it to happen under certain circumstances. CFID:CFTOKEN can be passed in the QueryString, in forms, or via cookies. It's fairly easy for someone to accidently cut&paste a URL to someone else which includes their CFID:CFTOKEN in the URL. Now when the second user goes to the page w/ the CFID:CFTOKEN of the other user, CF will send back a cookie to the second user which permanently places the first user's CFID:CFTOKEN into the second user's cookie store. Now you've got two users using the same CFID:CFTOKEN and essentially sharing one CF Session. When would CFID:CFTOKEN be in the URL to be copied & pasted? If you user CFLOCATION anywhere in your site and you didn't put the addtoken="No" parameter in the tag, then every CFLOCATION call will append the CFID:CFTOKEN to the URL. We had that exact problem when one of our admins accidently pasted a URL into our What's New database. Now every member who clicked on the link from the What's New page assumed the session of the admin. And since there were so many people accessing the site under the same session, the session never timed out. We had people accessing our entire site for free with Admin rights. It was a MESS Best regards, Zac Bedell Zachary S. Bedell, Chief Technology Officer, Adirondack Technologies, Inc. Please include original message in any replies -- I get a lot of email every day, and I have a REALLY bad memory... So I don't always remember everything that was said. Thanks! > -Original Message- > From: Aidan Whitehall [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 08, 2000 1:13 PM > To: CF-Talk > Subject: RE: CFID-CFTOKEN Confusion (newbie) > > > > is it possible that two (or more) users have the same > > cfid&cftoken ? > > Wich is the best way to identify a (unique) user session ? > > No. It's safe to assume that every user is assigned (and > subsequently returns) a unique CFID and CFTOKEN combination. > > In fact, if you use session variables, ColdFusion makes exactly > that assumption and uses the CFID/CFTOKEN pair sent by the browser > to marry up > browser requests with session variables previously set on the > server. > > > > -- > Aidan Whitehall <[EMAIL PROTECTED]> > Netshopper UK Ltd > Advanced Web Solutions & Services > > http://www.netshopperuk.com/ > Telephone +44 (01744) 648650 > Fax +44 (01744) 648651 > -- > -- > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOgrGBqvhLS1aWPxeEQKcHQCfXoAfmVbW/nlCyH65s6N5fjQxEWkAniZp qVOPvatye12gQPtglCJGq6NQ =2wBg -END PGP SIGNATURE- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: CFID-CFTOKEN Confusion (newbie)
To store these little beauties you first need to specify in CF Administartor that you wish to store Client variables in a datasource and not in the default Registry. See CF Guides for examples on doing this.. Nick Betts Software Engineer PoulterNet, Leeds, UK -Original Message- From: Scott Wolf [mailto:[EMAIL PROTECTED]] Sent: 09 November 2000 13:58 To: CF-Talk Subject: RE: CFID-CFTOKEN Confusion (newbie) I have my own question that's somewhat related to this thread. Is there any way that I can save the CFID and CFTOKEN into a database? Please let me know. Thanks in advance. Scott Wolf Goodfriend Computer Training -Original Message- From: Aidan Whitehall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 08, 2000 1:13 PM To: CF-Talk Subject: RE: CFID-CFTOKEN Confusion (newbie) > is it possible that two (or more) users have the same cfid&cftoken ? > > Wich is the best way to identify a (unique) user session ? No. It's safe to assume that every user is assigned (and subsequently returns) a unique CFID and CFTOKEN combination. In fact, if you use session variables, ColdFusion makes exactly that assumption and uses the CFID/CFTOKEN pair sent by the browser to marry up browser requests with session variables previously set on the server. -- Aidan Whitehall <[EMAIL PROTECTED]> Netshopper UK Ltd Advanced Web Solutions & Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: CFID-CFTOKEN Confusion (newbie)
I have my own question that's somewhat related to this thread. Is there any way that I can save the CFID and CFTOKEN into a database? Please let me know. Thanks in advance. Scott Wolf Goodfriend Computer Training -Original Message- From: Aidan Whitehall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 08, 2000 1:13 PM To: CF-Talk Subject: RE: CFID-CFTOKEN Confusion (newbie) > is it possible that two (or more) users have the same cfid&cftoken ? > > Wich is the best way to identify a (unique) user session ? No. It's safe to assume that every user is assigned (and subsequently returns) a unique CFID and CFTOKEN combination. In fact, if you use session variables, ColdFusion makes exactly that assumption and uses the CFID/CFTOKEN pair sent by the browser to marry up browser requests with session variables previously set on the server. -- Aidan Whitehall <[EMAIL PROTECTED]> Netshopper UK Ltd Advanced Web Solutions & Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: CFID-CFTOKEN Confusion (newbie)
> is it possible that two (or more) users have the same cfid&cftoken ? > > Wich is the best way to identify a (unique) user session ? No. It's safe to assume that every user is assigned (and subsequently returns) a unique CFID and CFTOKEN combination. In fact, if you use session variables, ColdFusion makes exactly that assumption and uses the CFID/CFTOKEN pair sent by the browser to marry up browser requests with session variables previously set on the server. -- Aidan Whitehall <[EMAIL PROTECTED]> Netshopper UK Ltd Advanced Web Solutions & Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
