0 Replies Latest reply on Jul 14, 2006 5:54 AM by wmanu

    CFID & CFTOKEN

    wmanu
      Hi there,

      I’m creating a cart & payment system using Coldfusion MX 6.1. I have two application servers which are load balanced. So I cannot use sessions to track user logins and other variables because if the load balancer diverts a request to the other server where the session does not exist then the person will be logged out.

      So I’m forced to use client variables. I’m against using cookies for better security. So the option left for me is store client variables in database. So I’m using the help of CFID & CFTOKEN to track logins and store client variables in database.

      Now the problem is I’m using URLSessionFormat function to pass CFID & CFTOKEN to all pages after login. I have following problems:

      1) If I copy the URL, which contains the CFID & CFTOKEN, close the browser and paste it in another browser window – it opens up the page with out any authentication.
      2) If I copy and paste the same URL on a browser window in another PC, it works.

      These two scenarios fail my security to the application. Can anyone please advice a way to kill the CFID & CFTOKEN on browser close or some mechanism to stop this occurring?

      Any help is greatly appreciated.

      Many thanks / Manu.