CFID and CFTOKEN being duplicated among clients

[KevinFSI]

Ran into this a while ago and need to make sure it's fixed before releasing this app.

Someone e-mailed another user the URL string from a page he was looking at. In that URL string was HIS CFID and CFTOKEN values. When the recipient of the e-mail clicked on the link in the message, the server assigned THOSE CFID and CFTOKEN values (from the first dude) to the second dude.

Here's what happens now. They both have identical CFID and CFTOKEN. When one logs in, he's fine. When the second guy logs in he gets the first guy's information. This is not good.

I have since set all ADDTOKEN attributes to NO in my CFLOCATION tags, which should prevent this from happening in the future, but before I release this app, I want to make sure there aren't more clients out there with the same ID and TOKEN values. Is there a way I can do this? Also, should I purge their CFID and CFTOKEN values on my logout page...just in case???

Thanks in advance, Kevin
slanek@ssd.fsi.com

"Life is what happens to you while you're busy making other plans."
- John Lennon

 

[neofactor]

This is a know issue with tokens that are visible in the URL. I always say no to adding tokens.

It is called "hijacking a session".... and a serious problem if you use client variables stored in the database.

That is why I stick with session variables. It is a common problem.
David McIntosh

http://www.neofactor.com

Let me know if this post helped you...
Please click below: "This Post was Helpful"

 

[KevinFSI]

Yes, but the problem is, those session variables are tied to the CFID and CFTOKEN that the server sees for each user. When more than one person has the same ID & TOKEN values, everyone will see the same session vars.

This has been duplicated and verified. Kevin
slanek@ssd.fsi.com

"Life is what happens to you while you're busy making other plans."
- John Lennon

 

[SidianConsulting]

This isn't a "bug" at all. If you aren't relying on cookies to pass the cfid and cftoken, little can be done about users sharing URLs. This is true for every language that is used in a web environment that passes a session identifier through the URL; whether it's encrypted or not doesn't matter since the link can be cut and pasted into an email or another browser session.

-Tek

 

[KevinFSI]

Actually you can. You can exclude the CFID and CFTOKEN from the URL string by saying:

<CFLOCATION ADDTOKEN=&quot;NO&quot; ...>

which prevents users from sharing these values.

What is a bug is if they do become the same client, indistinguishable by the server, then one user will always see another user's session variables. Here's the test I did to prove this:
-----------------------------------------------------------
User1 & User2 are both independent clients. I e-mail a URL with CFID & CFTOKEN included, from User1 to User2. Now, with debugging on, I can see that both users have identical CFID & CFTOKEN values.

Now, I log both clients off my app. I log User1 on, session variables are set for that user.

Then I log User2 on. User2 does not have session variables set, rather he sees User1's vars.

I have an IF statement which states:

<CFIF Not(IsDefined(&quot;session.empInfo&quot;))>

This prevents the session variables from being set every single time the user accesses the page. There's no need to set them if they already exist, see?

The problem is, when User2 logs in after User1, that IF statement looks to see if that session var exists for the user with his CFID & CFTOKEN values, and it does! The only way for the server to know who is who is by CFID & CFTOKEN and when User1 hits that page and gets those values set, the server doesn't realize that it is a completely different client when User2 logs on.

To verify this test, I swiched which user logs on first and the results were the same. If User2 was first to log in, User1 saw his name, employee number, etc...
-----------------------------------------------------------

See? Kevin
slanek@ssd.fsi.com

"Life is what happens to you while you're busy making other plans."
- John Lennon

 

[SidianConsulting]

If you don't pass the CFID and CFTOKEN somehow, either by cookies or URL, and if you are using session variables, you will not be able to access session variables on the page that doesn't have the CFID and CFTOKEN passed to it, no matter what. By setting addtoken="no", you are effectively disabling the use of session variables specific to the user in question. If you can still access variables specific to a user's session after setting addtoken="no", then CFID and CFTOKEN are still getting passed -- most likely by cookies. There is no way for ColdFusion to maintain state without these variables being passed to EACH and EVERY page.

What I am sure is happening in your case is that CFID and CFTOKEN are being passed via cookies as well. The problem is that your sessions aren't timing out; all that is happening is that you are closing the browser and re-opening it, and the CFID and CFTOKEN cookies still exist. You need to log a user out either by clearing all of his session variables using StructClear(session), or by deleting specific session variables using StructDelete() that are used for authentication purposes. Also you have to set browser "session" cookies, so if the user were to log out, the CFID and CFTOKEN cookies would be deleted, since they are good only for the browser session (until the window is closed). You can do this by re-setting the CFID and CFTOKEN cookies on each page request (most likely in the Application.cfm template) by omitting the expiration date for said cookies.

-Tek

 

[KevinFSI]

I think there's some miscommunication here.

Yes, the CFID & CFTOKEN are cookies and are not being passed via URL string.

The problem is, if the user clicks on a link in an e-mail in which the URL string has the other users CFID and CFTOKEN values, then that user's cookie gets reset with the other user's values. Now you have two users with the same CFID & CFTOKEN values stored in cookies on their machines.

I have made it so the CFID & CFTOKEN aren't passed in the URL string, but I'm wondering if there's any way for me to know how many clients I have out there with the same ID 7 TOKEN values as some other client.

Thanks a bunch for working with me on this. Kevin
slanek@ssd.fsi.com

"Life is what happens to you while you're busy making other plans."
- John Lennon

 

[SidianConsulting]

To address the problem of finding out how many people are using the same link, you could try to make a list of their ip addresses, but it depends on if they are all going through a proxy or not (either via AOL or a company proxy). That way you can get a better idea of how many different people are using the same CFID and CFTOKEN.

As long as you are using cookies to pass CFID and CFTOKEN, there is never a need to pass those any other way. Using the addtoken attribute with cflocation is only for when you aren't passing CFID and CFTOKEN through cookies and you need to pass them through the URL. Otherwise, cflocation without addtoken="yes" won't break the application if you are passing these values via cookies.

-Tek