We are having issues where CFTOKEN and CFID are being passed between our users. When one user clicks on these links their session switches to the sender of the URL.
How can I prevent this?
I was going to add something to the application.cfc like this.
<cfif (CGI.QUERY_STRING) CONTAINS "CFTOKEN">
<cflocation url="Log User out and go to the login screen">
But I am worried that users may legitimately have CFTOKEN and CFID in their working URLs and it would kick them out in that scenario. Though we have added cftoken="no" in all of our cflocation tags.
What is the best way to deal with this issue where sessions sometimes (?) are changed when a URL with cftoken or cfid is in the URL.
I am thinking along the same lines as you. But I would validate by comparing the keys in the URL scope with those in the session scope. When there is a mismatch, the session is invalidated (via onRequestStart in Application.cfc):
<cfif isDefined("url.cfid") and isDefined("url.cftoken")> <cfif url.cfid neq session.cfid or url.cftoken neq session.cftoken> <cfset sessionInvalidate()> <cflocation url="url of login page" addToken="no"> </cfif> </cfif>
Did that help?