CFID & CFTOKEN added to URL by CF

Similar Messages

• CFID CFTOKEN URL 404 ERROR

  We have a program that was wrote by a programmer whom is no longer with us.  When I go to log in to the program for the first time, after I put in my username and password and hit sign in I receive a "404 - File or directory not found error."  All I do is hit the back button and login again and it logs me in just fine.  I noticed when the error appears I'm getting a CFID and CFTOKEN added to the end of the URL.  When I'm able to login successfully it just takes me straight to index.cfm
  Can anyone tell me why its doing this and how to fix it?  Its just annoying to have to login twice everytime.  Thanks

  codyw725 wrote:
    I noticed when the error appears I'm getting a CFID and CFTOKEN added to the end of the URL.  When I'm able to login successfully it just takes me straight to index.cfm
  There are potentially 4 URLs involved here:
  The URL to which the CFID and CFToken are appended;
  The action page of the login form (Look into the code);
  The page to which the user is sent when the login fails;
  The index.cfm page.
  It would be of interest to know whether 1. and 2., or whether 1. and 3., refer to the same page.

• Cfid & cftoken keep resetting everytime time the page refreshes!!!!

  I need some assistance.  I have setup several CF applications and never had any issues with session/application management.  However this time around every time I refresh the page it gives me a new cfid and cftoken.  Obviously it won't allow me to keep my session and I get redirected to the log in page.  Here is how I am setting up my application.  Does anyone see any issues with this?
  <cfscript>
  This.name = 'ApplicationName';
  this.clientmanagement="no";
  This.sessionManagement = "yes";
  This.applicationtimeout = CreateTimeSpan(0,1,0,0);
  This.sessionTimeout = CreateTimeSpan(0,0,20,0);
  This.scriptProtect="All";
  This.setclientcookies = "no";
  This.setdomaincookies = "no";
  </cfscript>
  Side question, when is the cfid and cftoken suppose to change?  When I land on the page for the first time before I log in the cfid & cftoken get set.  That will be the same cfid & cftoken for the full session.  Then the cfid & cftoken gets dropped once the application has timed out?  (maybe a dumb question...)
  Please Help!!!

  If you setclientcookies to be FALSE ("no", whatever), then you need to deal with the CFID & CFTOKEN values yourself (generally by passing them on every URL in your site.  Which is a right PitA.
  Are you sure you meant to set it to FALSE?
  Adam

• CFID & CFTOKEN

  Hi there,
  I’m creating a cart & payment system using
  Coldfusion MX 6.1. I have two application servers which are load
  balanced. So I cannot use sessions to track user logins and other
  variables because if the load balancer diverts a request to the
  other server where the session does not exist then the person will
  be logged out.
  So I’m forced to use client variables. I’m
  against using cookies for better security. So the option left for
  me is store client variables in database. So I’m using the
  help of CFID & CFTOKEN to track logins and store client
  variables in database.
  Now the problem is I’m using URLSessionFormat function
  to pass CFID & CFTOKEN to all pages after login. I have
  following problems:
  1) If I copy the URL, which contains the CFID & CFTOKEN,
  close the browser and paste it in another browser window – it
  opens up the page with out any authentication.
  2) If I copy and paste the same URL on a browser window in
  another PC, it works.
  These two scenarios fail my security to the application. Can
  anyone please advice a way to kill the CFID & CFTOKEN on
  browser close or some mechanism to stop this occurring?
  Any help is greatly appreciated.
  Many thanks / Manu.

  Greetings Steve and other URLSessionFormat fans.
  The remote file of a XMLHttp request (Spry) among other
  things is trying to set two sessions.variables.
  I have been told that if the remote file doesn't know the
  session CFID & CFTOKEN the new session variables wil not be
  recognized, and to avoid that I should use URLSessionFormat.
  Now, my original Spry request look like this:
  var request_URL
  ="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
  Spry.Utils.loadURL("GET", request_URL, false, authBack);
  which returns values as expected but does not set the session
  variables, so I combine it with URLSessionFormat, like this:
  var request_URL =
  '#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';
  The variable "request_URL" will render:
  "/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"
  which causes Spry to catch an exception while loading the url
  and the request fails altogether.
  Please note the " ; " semicolumn sign between the filename
  "authenticate.cfm" and "jsessionid=" which is not like
  CF7.1 example
  "myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx"
  found in livedocs.
  Is either my code, macromedia example, or both wrong?
  Or maybe it needs some tweaking and fixing to replace the
  semicolumn and put the question mark in the right place?
  Pulling quite a few hair here. Thanks for helping.

• Missing session variables and multiple CFID/CFTOKEN

  We are using ColdFusion 9.0.1 and have recently started to experience some sporadic behavior in our applications. These applications have worked without error for over 6+ years and have not been modified during this time.
  Over the past couple of weeks, we have been receiving calls in regards to users not being able to login and receiving errors when performing various actions.  We have put troubleshooting measures in place that display values when this occurs.
  We have noticed that when the errors occur, there are multiple CFID/CFTOKEN COOKIE values. Additionally, session variables are being dropped (during simple tasks such as going from one screen to the next).  These errors do not occur for the majority of users and have primarily occurred in Internet Explorer, but we have had some instances in other browsers.  In most instances, if the user switches browsers, the same application works fine for them.
  In one particular case, we have a <cfif> tag in the application.cfm file that checks for “session.user_id”.  If it doesn’t exist, the user is directed to a login page using the <cflocation> tag. When experiencing the problem, users are continuously going back to the login screen because the system is saying that the session variable does not exist.
  When working with one user who was experiencing this problem, we were able to remedy the problem by adding “addtoken=’yes’” to the cflocation tag.  ** We do not prefer to do this for security reasons.
  Rather than go through each application and try to “band-aid” each instance that occurs, can anybody offer some suggestions on why this behavior recently began and how we may be able to globally address it?

  My immediate guess is that there is faulty logic in the code that updates the value of session.user_id. Apparently, one of the following scenarios might be happening.
  Coldfusion creates a session, X, say. Session.user_id is as yet undefined, so ColdFusion cflocates the user to the login page. The user logs in, still within session X. His session.user_id is set.
  Suppose, for whatever reason (and I know of at least two), the session drops. The user's very next request will make ColdFusion to create a new session, Y, say. Under session Y, the variable session.user_id, which corresponded to session X, will no longer exist. So ColdFusion cflocates the user to the login page. This cycle will of course repeat if left uncorrected.
  Another possible scenario is that the variable session.user_id is not set at all, or is set in the context of a new session. I am assuming that the login page is a form. Then login validation occurs at the action page of the form. Presumably the variable session.user_id is set at this action page. If so, then perhaps ColdFusion fails to set this variable, or a new session is created as the request goes from the login-form page to the action page.
  The 2 main reasons why a session drops are 1) it times out, 2) a new request starts a new session. Hence the following suggestions.
  1) Is your sessionTimeout value low, say, just a few minutes? If so, increase it to 20 minutes.
  2) Remember that the default behaviour of ColdFusion is to start a new session at every request. Use cflogin and cfloginuser together with loginStorage="session". Cflogin executes only if there is no logged in user, irrespective of the session. Therefore, getAuthUser() is a better authentication test than session.user_id.
  3) Use Application.cfc in place of Application.cfm. In particular, the CFC offers you more fine-grained control over the beginning and end of sessions.

• Instantiating module File could not be added at URL - Sandbox solution

  I have a feature in a Sandbox solution in SharePoint 2010 that provisions pages into the Pages library.  It looks like this:
  <?xml version="1.0" encoding="utf-8"?>
  <Elements xmlns="http://schemas.microsoft.com/sharepoint/">
  <Module Name="Pages" Path="Pages" Url="Pages" RootWebOnly="TRUE" >
  <File Url="Benefit.aspx" Path="Benefit.aspx" Type="GhostableInLibrary" IgnoreIfAlreadyExists="FALSE">
  <Property Name="Title" Value="Step 1: What is the benefit?" />
  <Property Name="BrowserTitle" Value="Step 1: What is the benefit?" />
  <Property Name="PublishingPageLayout" Value="~SiteCollection/_catalogs/masterpage/BlankPageLayout.aspx, Core Blank Page" />
  </File>
  This works fine most of the time but if the page is checked out and I deactivate and reactivate the sandbox solution, I get the following error message in the logs:
  Instantiating module "Pages": File could not be added at URL "Benefit.aspx":
  If I discard the check out and try again it works.
  Anyone got any ideas?
  Caroline

  The file Benefit.aspx looks like this:
  <%@ Page Inherits="Microsoft.SharePoint.Publishing.TemplateRedirectionPage,Microsoft.SharePoint.Publishing,Version=14.0.0.0,Culture=neutral,PublicKeyToken=71e9bce111e9429c" %>
  <%@ Reference VirtualPath="~TemplatePageUrl" %>
  <%@ Reference VirtualPath="~masterurl/custom.master" %>
  Caroline

• Adding Custom URLs to the Dashboard with variable ?

  Hello Everyone,
  I can add url in the dashboard...
  refer to http://oraclebizint.wordpress.com/2008/01/31/oracle-bi-ee-101332-adding-custom-urls-to-the-dashboard/
  My Step is :
  1. Go to {OracleBI}\web\msgdb\messages and copy the file commonuitemplates.xml to {OracleBIData}\web\msgdb\customMessages (if you dont have this folder create a new one). Now open this file in a text editor
  2. Search for the web message kuiMainBarActionsTable and add the below listed lines immediately after the tr tag
  <!--
  <td class=”DashBarProductCell”><a href=”http://xxx:7777/pls/apx/f?p=104:42:::::P0_USER:[bAdministrator” target="@{target}" onclick="saw.closeChildWindows();">Log Out</td>
  -->
  I try to change "Administrator" with session variable => session.currentUser.id
  Does anyone know how to change it?

  Can you try this "session.serverVariables.VARIABLENAME"

• Viewing active sessions (cfid/cftoken or J2EE sessionid)?

  Hello... is it possible to view the active sessions, whether cfid/cftoken or the J2EE sessionid for any given site on my server? I believe you can store client variables in a datasource, but I don't believe you can do this with the cfid/cftoken or J2EE sessionid correct? I'd really like to be able to query these values. I'm using CF 7.02 now but will be moving to CF 9, so if it's a feature there that'd be great.

  You can do it per application... but I'm not sure if there's a way of pulling out all the applications running on a given server.  The last time I looked for that sort of thing, I seem to recall not finding it (that's not to say it's not there: I just couldn't find it!).
  But for all sessions within an application: do a google on "cf sessiontracker".  Various people have blogged about how to do what you need (if not exactly what you need, then enough to get you going in the right direction).
  I thought I had some sample code that demonstrates it, but I don't :-(
  Adam

• Adding a URL to BSP Page

  Hello,
  I want to add an URL to the BSP page, could anyone give me insights on this.
  -Kewl

  By adding a URL, do you mean that you want a link to another URL?  You could always a plain HTML <a href>.  Or you could use the HTMLB extension <htmlb:link>.  Examples of the HTMLB elements can be found in the sample app SBSPEXT_HTMLB and HTMLB_SAMPLES. 
  On the other hand are you needing help building a URL to another BSP application?  Or perhaps did your question have to do with navigation between pages or applications?

• JSessionID, CFId/CFToken-Which is predictable?

  I have results from our the new and improved PCI scan and it
  comes up with one Medium risk vuln.
  Description: The remote web application is using predictable
  cookie-based session IDs. Ideally, session IDs are randomly
  generated numbers that cannot be guessed by attackers. If the
  session ID is predictable, an attacker could hijack an active
  victim's session, allowing the attacker to interact with the server
  as though they were the victim. If the session ID is used to track
  the state of authentication, the session ID of an authenticated
  user could be guessed, bypassing any need for a username or
  password. In the case of this server, the session ID was found to
  have an insignificant number of changes between session IDs, which
  makes guessing very easy.
  Remediation: The software needs to be either configured or
  modified to generate random session IDs.
  I currently have enabled
  Use J2EE session variables
  Assuming I'm getting flagged because of cfid/cftoken
  predictablility I've setClientCookies = "no" and
  clientmanagement="no" and restarted the service and everything
  seems to be working with jsessionids alone... are there any
  pitfalls to watch out with not using cfid/cftoken?
  basic question before I pay for another scan is:
  I was under the impression that jsessionids were the most
  secure and a better alternative than cfid/cftoken. Is that not the
  case?
  EDIT: The scan occurred before I made the client variable
  changes to the applicaiton.cfm (so I had both jsessionid and
  cfid/cftoken being set) As of now only jsessionid is being set

  based on what OWASP has to say
  OWASP says
  "Best practice calls for J2EE session management. In the
  event that only ColdFusion session management is available, strong
  security identifiers must be used. Enable this setting to change
  the default 8-character CFToken security token string to a UUID.
  http://www.owasp.org/index.php/Configuration"
  It looks like the J2EE sessions are the way to go.
  I believe the reason for the PCI flag is that the scan (at
  least the one from the service we use) was looking at CFID alone. I
  assume this because cftoken -was- set to use uuid so it should have
  been secure. The scan probably doesn't know that cfid and cftoken
  are used in conjunction. So in a way this is a false positive.
  Based on the new standards coming in it is enough to be out of
  compliance.
  solution to be in compliance is to set clientmanagement="no"
  and setclientcookies="no" in application.cfm so that cfid and
  cftoken are not set at all By using only the jsessionid, you are
  following best practices from OWASP and also get the benefits of
  session end on browser close
  Other thoughts still welcome

• Adoption of CFID/CFTOKEN from request for new session

  Hi
  We've noticed that ColdFusion automatically uses CFID/CFTOKEN
  from the request, if there's no session available for this token
  combination and ColdFusion creates a new session. Is there a way to
  tell ColdFusion that it shouldn't use the values from the request
  but generate a pair of its own?
  Regards
  Sargon

  10.12 is the latest and greatest SW version for the device (from mid-2010). 
  I'm sad to say, but this device model has been out of production already for a long while and no new SW releases can be expected. Also some of the things you listed are such, which would not even be fixable by new SW version, but would require other changes.
  you could probably try updating e.g. the browser app to a newer version via http://download.browser.ovi.com.
  http://www.microsoft.com/en/mobile/nokia-x-updates/
  http://www.microsoft.com/en/mobile/nokia-x2-update/
  http://www.microsoft.com/en/mobile/asha-software-update/
  http://www.microsoft.com/en/mobile/support/software-update/wp8-software-update/
  http://www.developer.nokia.com/Community/Wiki/Nokia_firmware_change_logs
  https://twitter.com/LumiaSWUpdates

• CFID/CFTOKEN in URL Not Used

  Hi, What I have is a website that uses a shared ssl site. Here is what happens
  They are at the main site.: http://www.mysite.com/
  They add a couple items to their cart
  They enter the secure site to checkout: https://securesite.com/mysite/?cfid=1234&cftoken=5678
  I check to see if they have items in their cart, if they don't, I kick them out of checkout
  Sometimes this works just find and the session is recognized and I can see the items.
  Other times it kicks back out and the session isn't recognized.
  When I examine the cookies I can see that the secure site wrote its own cfid and cftoken values and is not using the ones passed through the URL.
  If I delete those cookies and try again it works great
  Is there a reason its not using the URL values, is there a way to force it to use the ones I pass in? Please let me know if there is a setting or something I should do.
  First noticed this in Firefox and its also recently gone from CF8 to CF9.
  Thanks!!

  Hey there,
  the feature is named "Browse By Name" and is removed in current FF 4 version.
  Here are some links to solution(s), most posted here at mozilla support:
  http://support.mozilla.com/en-US/questions/790755
  http://support.mozilla.com/en-US/questions/779034
  http://kb.mozillazine.org/Location_Bar_search
  https://support.mozilla.com/en-US/questions/791854
  - also check the keyboard shortcut to automatically add www. and .com/.net/.org irrespectively to Browse By Name activated or not.
  Alternatively you can instal the add-on:
  https://addons.mozilla.org/en-US/firefox/addon/browse-by-name/
  Cheers.

• Is cflock necessary when using #Session.URLToken# to append CFID and CFTOKEN to a URL?

  Title pretty much says it all.  I'm in the process of making my application friendly to folks without cookies.  The site uses a login.  I'm in the process of appending Session.URLToken to every URL and form action, to track a user session without cookies (if necessary).
  Do I need to place a CFLOCK around EVERY code block that contains a URL, since I'm referencing a session variable?  I assume not since that would be utterly impractical (plus I'm not modifying any information)... but I thought I should check, 'cause if I'm wrong there's probably potential for all SORTS of issues here.
  Thanks!
  Joe

  no

• Adding a url to flash buttons in Dreamweaver

  I have a web site built and I have recently added Flash buttons and I need to add my web pages to the buttons. How would I go about doing this?

  Let's say you create a button symbol.  Since it is a button, it is already a self animating object that will react to mouse interactions, but only visually at this stage.  The first thing you need to do to make it useful code-wise is to assign it a unique instance name.  So you drag a copy of it out to the stage from the library, and while it's still selected, you enter that unique instance name for it in the Properties panel... let's say you name it "btn1"
  In AS3, to make a button work with code, you need to add an event listener and event handler function for it.  You might need to add a few (for different events, like rollover, rollout, clicking it, but for now we'll just say you want to be able to click it to get a web page to open.  In the timeline that holds that button, in a separate actions layer that you create, in a frame numbered the same as where that button exists, you would add the event listener:
  btn1.addEventListener(MouseEvent.CLICK, btn1Click);
  The name of the unique function for processing the clicking of that button is specified at the end of the event listener assignment, so now you just have to write that function out:
  function btn1Click(evt:MouseEvent):void {
     var url:String = "http://www.awebsite.com/awebpage.html";
     var req:URLRequest = new URLRequest(url);
     navigateToURL(req);

• On adding a URL in URLInclude item, the page times out

  Hi,
  I'm trying to display the contents of a URL in the base OA Framework page by specifying the URL in URLInclude item, but the page times out once this item is added.
  I also tried using a java code to read the contents of a URL and display the contents in the base page, but there again the page times out.
  Has anyone faced this issue with use of URLInclude. Should there be any property set within applications to bypass proxy or something similar in order to read the contents of an external URL. Please throw some light on the possible reasons as to why specifying the URL will cause the page to time out. The URL that I'm specifying has only 2 sentences in there, so it is not a big page that we are trying to read here.
  Appreciate any help.
  Thanks.

  Hi,
  I'm trying to display the contents of a URL in the base OA Framework page by specifying the URL in URLInclude item, but the page times out once this item is added.
  I also tried using a java code to read the contents of a URL and display the contents in the base page, but there again the page times out.
  Has anyone faced this issue with use of URLInclude. Should there be any property set within applications to bypass proxy or something similar in order to read the contents of an external URL. Please throw some light on the possible reasons as to why specifying the URL will cause the page to time out. The URL that I'm specifying has only 2 sentences in there, so it is not a big page that we are trying to read here.
  Appreciate any help.
  Thanks.