• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CFTOKEN/CFID SESSION Issues

Participant ,
May 31, 2022 May 31, 2022

Copy link to clipboard

Copied

We are having issues where CFTOKEN and CFID are being passed between our users. When one user clicks on these links their session switches to the sender of the URL. 

How can I prevent this?

I was going to add something to the application.cfc like this.
<cfif (CGI.QUERY_STRING) CONTAINS "CFTOKEN">
<cflocation url="Log User out and go to the login screen">
</cfif>
But I am worried that users may legitimately have CFTOKEN and CFID in their working URLs and it would kick them out in that scenario. Though we have added cftoken="no" in all of our cflocation tags.

What is the best way to deal with this issue where sessions sometimes (?) are changed when a URL with cftoken or cfid is in the URL.

Views

301

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Jun 05, 2022 Jun 05, 2022

I am thinking along the same lines as you. But I would validate by comparing the keys in the URL scope with those in the session scope. When there is a mismatch, the session is invalidated (via onRequestStart in Application.cfc):

 

<cfif isDefined("url.cfid") and isDefined("url.cftoken")>
	<cfif url.cfid neq session.cfid or url.cftoken neq session.cftoken>
		<cfset sessionInvalidate()>
		<cflocation url="url of login page" addToken="no">
	</cfif>
</cfif>

 

 

 

Votes

Translate

Translate
Community Expert ,
Jun 05, 2022 Jun 05, 2022

Copy link to clipboard

Copied

I am thinking along the same lines as you. But I would validate by comparing the keys in the URL scope with those in the session scope. When there is a mismatch, the session is invalidated (via onRequestStart in Application.cfc):

 

<cfif isDefined("url.cfid") and isDefined("url.cftoken")>
	<cfif url.cfid neq session.cfid or url.cftoken neq session.cftoken>
		<cfset sessionInvalidate()>
		<cflocation url="url of login page" addToken="no">
	</cfif>
</cfif>

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

LATEST

Did that help?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation