Hello. Thanks in advance for any help.
I have a serious problem that I have been unable to debug
probably because of my poor understanding of the subject.
I have an application with session and client variables.
Some people are sharing CFID's and CFTOKENs which is
resulting in a real security problem
What I have found is that despite clearing the client storage
database, the session variables, and resetting cookies, the CFID
and CFTOKEN persist.
I created a page with the following code to highlight the
problem:
<cfoutput>
cftoken: #cftoken#<br />
session.cftoken: #session.CFToken#<br />
client.cftoken: #client.cftoken#<br />
cookie.cftoken: #client.cftoken#<br />
</cfoutput>
<cfcookie name="Cftoken" expires="now"><cfcookie
name="cfid" expires="now">
<cflock name="myappsessionlogout" type="exclusive"
timeout="5">
<cfloop collection="#Session#" item="All_Vars">
<cfset StructDelete(Session, All_Vars)>
</cfloop>
</cflock>
<cfset client.cftoken = 0>
<cfoutput>
cftoken: #cftoken#<br />
<!---session.cftoken: #session.CFToken#<br />--->
client.cftoken: #client.cftoken#<br />
cookie.cftoken: #client.cftoken#<br />
</cfoutput>
First, I output the client, session, and cookie values for
CFTOKEN.
I then delete/expire them and then I output them again.
The resulting page is something like this:
cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
session.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
client.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
cookie.cftoken: 3435676-3b8beb0c-7c96-42fa-8867-046fda6d1234
cftoken:
client.cftoken: 0
cookie.cftoken: 0
If I refresh the page, however, the same exact output occurs.
meaning htat somewhere the CFID and CFTOKEN variables are
persisting. The issue is that some people have very short values
for cftoken and so they are being shared. I need to reset their
values so that they include the UUID.
Can someone tell me how to force a user to get a new cookie,
client and session or provide some insight as to what may be
happening?