I have noticed what the main part of the problem I am having is.
On my dev server, I go to the admin login screen, and a CFID and CFTOKEN
are generated in the url, which is fine
I open another window, go to admin on the dev server and as expected
another CFID and CFTOKEN are generated, the values of which differ to
those on the first window
Now, on my application server, if you do this, the CFID and CFTOKEN
values generated in both windows are exactly the same
Any idea why this is?
As there is more than one level of admin which a user can access, it
maybe that they want two browsers open with different logins, so I need
different ids to be generated!
Thanks in advance
Dave
-----Original Message-----
From: David Ashworth [mailto:[EMAIL PROTECTED]
Sent: 18 March 2004 10:50
To: CF-Talk
Subject: RE: server session settings
Thanks for the help so far
now, I implemented this code in my fbx_settings file - however, cutting
and pasting the the URL still allows a user to bypass the login, is
there something I have missed?
<cfif fusebox.IsHomeCircuit>
<cfapplication name="funds" clientmanagement="Yes"
sessionmanagement="Yes" setclientcookies="no">
<cfelse>
</cfif>
<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfset cfid_local = Cookie.CFID>
<cfset cftoken_local = Cookie.CFTOKEN>
<cfcookie name="CFID" value="#cfid_local#">
<cfcookie name="CFTOKEN" value="#cftoken_local#">
</cfif>
-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: 17 March 2004 18:39
To: CF-Talk
Subject: RE: server session settings
> Basically, sessions are not being killed when the browser is
> closed and even so, they should not be transerable to a new
> browser, which would appear to be what they are doing.
By default, sessions are not closed when you close the browser. The
cookies
that tie the session to the browser are persistent cookies. In addition,
if
you use URL parameters to tie the session to the browser, and you copy
those
URL parameters from one browser to another, the second browser will be
associated with the session data as well.
If you want to make cookie-based sessions close when the browser is
closed,
you'll need to write non-persistent cookies to the browser:
<cfapplication ... setclientcookies="no">
<cfif not IsDefined("Cookie.CFID")>
<cflock scope="Session" type="readonly" timeout="5">
<cfcookie name="CFID" value="#Session.CFID#">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#">
</cflock>
</cfif>
You can dispense with the lock if you're using CFMX. If you omit the
TIMEOUT
attribute of CFCOOKIE, the cookies will be destroyed when the browser is
closed.
Or, if you're using CFMX, you can enable J2EE sessions, which will use a
single non-persistent cookie called "JSESSIONID" instead of CFID and
CFTOKEN.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
_____
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
