CFID & CFTOKEN

Report · Jul 14, 2006

Hi there,

I?m creating a cart & payment system using Coldfusion MX 6.1. I have two
application servers which are load balanced. So I cannot use sessions to track
user logins and other variables because if the load balancer diverts a request
to the other server where the session does not exist then the person will be
logged out.

So I?m forced to use client variables. I?m against using cookies for better
security. So the option left for me is store client variables in database. So
I?m using the help of CFID & CFTOKEN to track logins and store client variables
in database.

Now the problem is I?m using URLSessionFormat function to pass CFID & CFTOKEN
to all pages after login. I have following problems:

1) If I copy the URL, which contains the CFID & CFTOKEN, close the browser and
paste it in another browser window ? it opens up the page with out any
authentication.
2) If I copy and paste the same URL on a browser window in another PC, it
works.

These two scenarios fail my security to the application. Can anyone please
advice a way to kill the CFID & CFTOKEN on browser close or some mechanism to
stop this occurring?

Any help is greatly appreciated.

Many thanks / Manu.

Report · Jul 14, 2006

Please don't multi-post the same question.

I've never used MX6.1, but 7, in addition to CFID and CFToken, it has a JSession. The JSession appears to be a true "session" meaning that opening two browser instances to the same server creats to separate JSessions - not one as you found with the CFID and CFToken. We use all three to define the session which may be overkill, JSession may be enough?

Check to see if JSession is available to you in 6.1.

One additiona "good" note as far as we're concerned, browser instances spawned by an instance of a JSession inherit the same session. This was good for us because for printer friendly pages, we popup a child browser instance and the session is inherited. (hopefully I'm explaining this correctly and not confusing the crap out of you!)

Report · Oct 20, 2006

Greetings Steve and other URLSessionFormat fans.

The remote file of a XMLHttp request (Spry) among other things is trying to set two sessions.variables.
I have been told that if the remote file doesn't know the session CFID & CFTOKEN the new session variables wil not be recognized, and to avoid that I should use URLSessionFormat.

Now, my original Spry request look like this:

var request_URL ="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
Spry.Utils.loadURL("GET", request_URL, false, authBack);

which returns values as expected but does not set the session variables, so I combine it with URLSessionFormat, like this:

var request_URL = '#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password='+uPass+'")#';

The variable "request_URL" will render:
"/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uName+"&password="+uPass&CFID=300&CFTOKEN=11985066"

which causes Spry to catch an exception while loading the url and the request fails altogether.
Please note the " ; " semicolumn sign between the filename "authenticate.cfm" and "jsessionid=" which is not like
CF7.1 example "myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx" found in livedocs.

Is either my code, macromedia example, or both wrong?
Or maybe it needs some tweaking and fixing to replace the semicolumn and put the question mark in the right place?

Pulling quite a few hair here. Thanks for helping.

Report · Oct 23, 2006

The semi-colon in both your examples looks incorrect to me. You obviously know that example #1 is invalid. I would try standard URL encoding first: myaction.cfm?jsession=xxx&cfid=xxx&cftoken=xxx. Only if that does not work would I try the livedoc example. (or heck, try them both).

Thus far, I have not had to do what you are trying to do here so if neither works, maybe someone else will chime in that has experience...

Adobe Community

CFID & CFTOKEN