[thelist] CFToken, Cookies & Client Management
Jeff
jeff at members.evolt.org
Fri May 12 05:38:28 2000
frank,
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: From: Frank <framar@interlog.com>
:
: If I've got this right, CF uses two things to keep
: state: Cookies, or URLTokens.
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
yes, that's exactly right.
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: Now, If the client uses cookies, I can use them,
: if not, I can use URLTokens.
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
this is correct. most people that intend to use cookies will first set a
test cookie and then do a check for it. if it exists then the client
accepts cookies. if not, then you'll need to use urltokens to keep their
session active.
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: Many people surf with cookies off (I do), but with the
: use of URLTokens, the CFID and CFToken is visible in
: the browser's location bar; anyone could bookmark
: a user's login and pass, if they are used for security
: purposes.
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
don't forget that for a person to bookmark a user's login, they'd have to be
at their computer during their session or have that person email them a link
with the urltoken in it. however, there is something you can do about that
to prevent what is called session hi-jacking. it's not foolproof as it
relies on you checking the referrer, but it will stop most people.
the logic basically goes something like checking to see if http_referer has
a length and if the http_host is contained within the http_referer. if not,
then cflocation them to the same url they requested without url token
attached at which point cf will reassign a new urltoken. you'll wanna put
this in your application template so that it happens before the requested
template gets processed.
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: I'm both a security and privacy freak. Is there another
: way of passing the ID & Token with no cookies, and
: no visible URL
:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
you could also do it by posting forms from one page to the next, but that's
an even worse nightmare.
good luck,
.jeff
name://jeff.howden
game://web.development
http://www.evolt.org/
mailto:jeff@members.evolt.org