Hi,
I have an application that used to use URL vars to carry the
session. Some links got out into the wild with the cfid and cftoken
in them so now some people end up with the same session. I then
converted the app to use cookies instead to eliminate the chances
of it recurring, but of course these links still exist and so
people can still get that session.
Now, how can I kill off a session if it has a cfid/cftoken
pair that I don't like? I can do a structdelete(session) but I also
need to delete the session cookies or the session appears to
continue. However, every time I delete the cookies they are still
there on the next request!
i.e., in Application.cfm I have
<!--- kill known bad cookies --->
<cfset killCookies = 0>
<cfif (cookie.cfid is "9876") and (cookie.cftoken is
"12345678")>
<cfset killCookies = 1>
</cfif>
then in OnRequestEnd.cfm
<cfif killCookies>
<cfif IsDefined("Cookie.CFID") AND
IsDefined("Cookie.CFTOKEN")>
<cfcookie name="CFID" value="0" expires="NOW">
<cfcookie name="CFTOKEN" value="0" expires="NOW">
<cflocation url="/" addtoken="No">
</cfif>
</cfif>
This results in an infinite redirect 😞 Why don't the cookies
get deleted? What's the best way to delete a known bad session and
how can you force the user into a new session?
Chandy