I’m creating a cart & payment system using
Coldfusion MX 6.1. I have two application servers which are load
balanced. So I cannot use sessions to track user logins and other
variables because if the load balancer diverts a request to the
other server where the session does not exist then the person will
be logged out.
So I’m forced to use client variables. I’m
against using cookies for better security. So the option left for
me is store client variables in database. So I’m using the
help of CFID & CFTOKEN to track logins and store client
variables in database.
Now the problem is I’m using URLSessionFormat function
to pass CFID & CFTOKEN to all pages after login. I have
1) If I copy the URL, which contains the CFID & CFTOKEN,
close the browser and paste it in another browser window – it
opens up the page with out any authentication.
2) If I copy and paste the same URL on a browser window in
another PC, it works.
These two scenarios fail my security to the application. Can
anyone please advice a way to kill the CFID & CFTOKEN on
browser close or some mechanism to stop this occurring?