3 Replies Latest reply on Oct 23, 2006 9:20 AM by Steve Sommers

    CFID & CFTOKEN

    Level 7
      Hi there,

      I?m creating a cart & payment system using Coldfusion MX 6.1. I have two
      application servers which are load balanced. So I cannot use sessions to track
      user logins and other variables because if the load balancer diverts a request
      to the other server where the session does not exist then the person will be
      logged out.

      So I?m forced to use client variables. I?m against using cookies for better
      security. So the option left for me is store client variables in database. So
      I?m using the help of CFID & CFTOKEN to track logins and store client variables
      in database.

      Now the problem is I?m using URLSessionFormat function to pass CFID & CFTOKEN
      to all pages after login. I have following problems:

      1) If I copy the URL, which contains the CFID & CFTOKEN, close the browser and
      paste it in another browser window ? it opens up the page with out any
      authentication.
      2) If I copy and paste the same URL on a browser window in another PC, it
      works.

      These two scenarios fail my security to the application. Can anyone please
      advice a way to kill the CFID & CFTOKEN on browser close or some mechanism to
      stop this occurring?

      Any help is greatly appreciated.

      Many thanks / Manu.

        • 1. Re: CFID & CFTOKEN
          Steve Sommers Level 4
          Please don't multi-post the same question.

          I've never used MX6.1, but 7, in addition to CFID and CFToken, it has a JSession. The JSession appears to be a true "session" meaning that opening two browser instances to the same server creats to separate JSessions - not one as you found with the CFID and CFToken. We use all three to define the session which may be overkill, JSession may be enough?

          Check to see if JSession is available to you in 6.1.

          One additiona "good" note as far as we're concerned, browser instances spawned by an instance of a JSession inherit the same session. This was good for us because for printer friendly pages, we popup a child browser instance and the session is inherited. (hopefully I'm explaining this correctly and not confusing the crap out of you!)
          • 2. Re: CFID & CFTOKEN
            Conti Level 1
            Greetings Steve and other URLSessionFormat fans.

            The remote file of a XMLHttp request (Spry) among other things is trying to set two sessions.variables.
            I have been told that if the remote file doesn't know the session CFID & CFTOKEN the new session variables wil not be recognized, and to avoid that I should use URLSessionFormat.

            Now, my original Spry request look like this:

            var request_URL ="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
            Spry.Utils.loadURL("GET", request_URL, false, authBack);

            which returns values as expected but does not set the session variables, so I combine it with URLSessionFormat, like this:

            var request_URL = '#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';

            The variable "request_URL" will render:
            "/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"

            which causes Spry to catch an exception while loading the url and the request fails altogether.
            Please note the " ; " semicolumn sign between the filename "authenticate.cfm" and "jsessionid=" which is not like
            CF7.1 example "myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx" found in livedocs.

            Is either my code, macromedia example, or both wrong?
            Or maybe it needs some tweaking and fixing to replace the semicolumn and put the question mark in the right place?

            Pulling quite a few hair here. Thanks for helping.
            • 3. Re: CFID & CFTOKEN
              Steve Sommers Level 4
              The semi-colon in both your examples looks incorrect to me. You obviously know that example #1 is invalid. I would try standard URL encoding first: myaction.cfm?jsession=xxx&cfid=xxx&cftoken=xxx. Only if that does not work would I try the livedoc example. (or heck, try them both).

              Thus far, I have not had to do what you are trying to do here so if neither works, maybe someone else will chime in that has experience...