RE: session.basket URL
Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. This behavior can be suppressed by adding the attribute ADDTOKEN="No" to the CFLOCATION tag. This is an excerpt from http://www.houseoffusion.com/cfdocs1/Developing_Web_Applications_with_ColdFu sion/05_Using_the_Application_Framework/dwa05_07.htm Hope this helps, Natalie -Original Message- From: Chad [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 3:19 PM To: [EMAIL PROTECTED] Subject: session.basket URL Im just starting to develop a E-commerce Shopping basket and i notice that when i goto add product to my session.basket the persons CFID, and CFToken are displayed in the URL. i.e. /outputsession.cfm?CFID=34CFTOKEN=56471755 Is this normal? Is this a security risk? BTW I am adding the product with a form. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
Ahh! Thank you! I never even thought to relate this to the CFLOCATION tag i am using. At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. This behavior can be suppressed by adding the attribute ADDTOKEN="No" to the CFLOCATION tag. This is an excerpt from http://www.houseoffusion.com/cfdocs1/Developing_Web_Applications_with_ColdFu sion/05_Using_the_Application_Framework/dwa05_07.htm Hope this helps, Natalie -Original Message- From: Chad [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 3:19 PM To: [EMAIL PROTECTED] Subject: session.basket URL Im just starting to develop a E-commerce Shopping basket and i notice that when i goto add product to my session.basket the persons CFID, and CFToken are displayed in the URL. i.e. /outputsession.cfm?CFID=34CFTOKEN=56471755 Is this normal? Is this a security risk? BTW I am adding the product with a form. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
When the client has cookies disabled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:09 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
I believe, developer has to manually append it for situations like this. See below: "Developers who choose to maintain client state without cookies must ensure that every request carries CFID and CFTOKEN. To maintain client state without cookies, set the SETCLIENTCOOKIES attribute of the CFAPPLICATION tag to No. Then, the developer must maintain client state in URLs. by passing the client ID (CFID)and the client security token (CFTOKEN) between pages, either in hidden form fields or appended to URLs. You accomplish this using the variable Client.URLTOKEN or Session.URLTOKEN." Natalie -Original Message- From: Brad Pauly [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 4:15 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL When the client has cookies disabled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:09 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
That is correct. Thanks for the clarification. -Original Message- From: Sytov, Natalie L. [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:24 PM To: '[EMAIL PROTECTED]' Subject: RE: session.basket URL I believe, developer has to manually append it for situations like this. See below: "Developers who choose to maintain client state without cookies must ensure that every request carries CFID and CFTOKEN. To maintain client state without cookies, set the SETCLIENTCOOKIES attribute of the CFAPPLICATION tag to No. Then, the developer must maintain client state in URLs. by passing the client ID (CFID)and the client security token (CFTOKEN) between pages, either in hidden form fields or appended to URLs. You accomplish this using the variable Client.URLTOKEN or Session.URLTOKEN." Natalie -Original Message- From: Brad Pauly [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 4:15 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL When the client has cookies disabled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:09 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- -- -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
Nope. I have "Accept all cookies" checked in NetScrape 4.51. best, paul At 01:14 PM 8/14/00 -0700, you wrote: When the client has cookies disabled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:09 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
Actually Paul it's when you don't specify "addtoken="no"" If you just have cflocation url="foo.htm" you'll get the cfid and cftoken in the URL. If you cflocation url="foo.htm" addtoken="no" You won't. --K -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 2:10 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL Nope. I have "Accept all cookies" checked in NetScrape 4.51. best, paul At 01:14 PM 8/14/00 -0700, you wrote: When the client has cookies disabled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:09 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- --- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
Well, there's no CFLOCATION. best, paul At 03:07 PM 8/14/00 -0700, you wrote: Actually Paul it's when you don't specify "addtoken="no"" If you just have cflocation url="foo.htm" you'll get the cfid and cftoken in the URL. If you cflocation url="foo.htm" addtoken="no" You won't. --K -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 2:10 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL Nope. I have "Accept all cookies" checked in NetScrape 4.51. best, paul At 01:14 PM 8/14/00 -0700, you wrote: When the client has cookies disabled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:09 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- --- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
Well then can we see the offending code? Both the posting page and the processing pages please. --K -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 3:57 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL Well, there's no CFLOCATION. best, paul At 03:07 PM 8/14/00 -0700, you wrote: Actually Paul it's when you don't specify "addtoken="no"" If you just have cflocation url="foo.htm" you'll get the cfid and cftoken in the URL. If you cflocation url="foo.htm" addtoken="no" You won't. --K -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 2:10 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL Nope. I have "Accept all cookies" checked in NetScrape 4.51. best, paul At 01:14 PM 8/14/00 -0700, you wrote: When the client has cookies disabled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:09 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- --- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- - -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- --- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: session.basket URL
Sure. The page is the root one of the website, index.cfm, and the CF part looks like:-) CFINCLUDE TEMPLATE="/#request.CFroot#/app_locals.cfm" CFINCLUDE TEMPLATE="/#request.CFroot#/qry_RandWord.cfm" CFINCLUDE TEMPLATE="/#request.CFroot#/dsp_firstMAIN.cfm" CFINCLUDE TEMPLATE="/#request.CFroot#/dsp_heading.cfm" CFINCLUDE TEMPLATE="/#request.CFroot#/dsp_bluebar.cfm" CFINCLUDE TEMPLATE="/#request.CFroot#/dsp_NewPageone.cfm" CFINCLUDE TEMPLATE="/#request.CFroot#/dsp_footer.cfm" CFINCLUDE TEMPLATE="/#request.CFroot#/act_FormFocus.cfm" app_globals.cfm (which is CFINCLUDED in app_locals.cfm) includes the following: CFAPPLICATION CLIENTMANAGEMENT="Yes" SESSIONMANAGEMENT="Yes" SETCLIENTCOOKIES="Yes" NAME="SYP" CLIENTSTORAGE="CVR" CFID CFTOKEN are appended when the website is first accessed at the root, but not when subsequent pages are accessed (even if the subsequent page is the root). Happens with both Internet Exploder NetScrape. best, paul PS Can't show you the URL. Website not yet released. At 04:03 PM 8/14/00 -0700, you wrote: Well then can we see the offending code? Both the posting page and the processing pages please. --K -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 3:57 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL Well, there's no CFLOCATION. best, paul At 03:07 PM 8/14/00 -0700, you wrote: Actually Paul it's when you don't specify "addtoken="no"" If you just have cflocation url="foo.htm" you'll get the cfid and cftoken in the URL. If you cflocation url="foo.htm" addtoken="no" You won't. --K -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 2:10 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL Nope. I have "Accept all cookies" checked in NetScrape 4.51. best, paul At 01:14 PM 8/14/00 -0700, you wrote: When the client has cookies disabled. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 1:09 PM To: [EMAIL PROTECTED] Subject: RE: session.basket URL What causes appending when there's no CFLOCATION? best, paul At 03:32 PM 8/14/00 -0400, you wrote: Client variables with CFLOCATION behavior: When using CFLOCATION to redirect to a path that contains .DBM or .CFM, the Client.URLToken is automatically appended to the URL. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=list s/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- --- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- - -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- --- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.