Skip to main content
W
weezerboy
Inspiring
May 31, 2022
Answered

CFTOKEN/CFID SESSION Issues

  • May 31, 2022
  • 2 replies
  • 629 views

We are having issues where CFTOKEN and CFID are being passed between our users. When one user clicks on these links their session switches to the sender of the URL. 

How can I prevent this?

I was going to add something to the application.cfc like this.
<cfif (CGI.QUERY_STRING) CONTAINS "CFTOKEN">
<cflocation url="Log User out and go to the login screen">
</cfif>
But I am worried that users may legitimately have CFTOKEN and CFID in their working URLs and it would kick them out in that scenario. Though we have added cftoken="no" in all of our cflocation tags.

What is the best way to deal with this issue where sessions sometimes (?) are changed when a URL with cftoken or cfid is in the URL.

    This topic has been closed for replies.
    Correct answer BKBK

    I am thinking along the same lines as you. But I would validate by comparing the keys in the URL scope with those in the session scope. When there is a mismatch, the session is invalidated (via onRequestStart in Application.cfc):

     

    <cfif isDefined("url.cfid") and isDefined("url.cftoken")>
	<cfif url.cfid neq session.cfid or url.cftoken neq session.cftoken>
		<cfset sessionInvalidate()>
		<cflocation url="url of login page" addToken="no">
	</cfif>
</cfif>

     

     

     

    2 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    June 10, 2022

    Did that help?

    BKBK
    Community Expert
    BKBKCommunity ExpertCorrect answer
    Community Expert
    June 5, 2022

    I am thinking along the same lines as you. But I would validate by comparing the keys in the URL scope with those in the session scope. When there is a mismatch, the session is invalidated (via onRequestStart in Application.cfc):

     

    <cfif isDefined("url.cfid") and isDefined("url.cftoken")>
	<cfif url.cfid neq session.cfid or url.cftoken neq session.cftoken>
		<cfset sessionInvalidate()>
		<cflocation url="url of login page" addToken="no">
	</cfif>
</cfif>

     

     

     

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices