CFID/CFTOKEN in URL Not Used

Hi, What I have is a website that uses a shared ssl site. Here is what happens
They are at the main site.: http://www.mysite.com/
They add a couple items to their cart
They enter the secure site to checkout: https://securesite.com/mysite/?cfid=1234&cftoken=5678
I check to see if they have items in their cart, if they don't, I kick them out of checkout
Sometimes this works just find and the session is recognized and I can see the items.
Other times it kicks back out and the session isn't recognized.
When I examine the cookies I can see that the secure site wrote its own cfid and cftoken values and is not using the ones passed through the URL.
If I delete those cookies and try again it works great
Is there a reason its not using the URL values, is there a way to force it to use the ones I pass in? Please let me know if there is a setting or something I should do.
First noticed this in Firefox and its also recently gone from CF8 to CF9.
Thanks!!

Hey there,
the feature is named "Browse By Name" and is removed in current FF 4 version.
Here are some links to solution(s), most posted here at mozilla support:
http://support.mozilla.com/en-US/questions/790755
http://support.mozilla.com/en-US/questions/779034
http://kb.mozillazine.org/Location_Bar_search
https://support.mozilla.com/en-US/questions/791854
- also check the keyboard shortcut to automatically add www. and .com/.net/.org irrespectively to Browse By Name activated or not.
Alternatively you can instal the add-on:
https://addons.mozilla.org/en-US/firefox/addon/browse-by-name/
Cheers.

Similar Messages

CFID & CFTOKEN added to URL by CF

CF automatically appends CFID & CFTOKEN to the URL when
using <div <span with id = a variable.
They are not appended when a constant is used.
I do not want these to be displayed unless I append them
myself.
Is this a CF bug, or can I change my code somehow?
I display a variable number of rows, so using a constant is
not a solution.
And, I use client and session variables throughout my app.
Please help me. Thanks a bunch.
<cfapplication name="myApp" sessiontimeout="20"
sessionmanagement="Yes"
setclientcookies="Yes" clientmanagement="Yes">
This is BAD ...
URL with the following code:
abc/action.cfm?CFID=1851&CFTOKEN=76141078
<div id="#style#">
<span id="#style#"
onclick="location.href='abc/action.cfm'">
<table><tr><td>info</td></tr></table>
</span>
</div>
This is GOOD ...
URL with the following code: abc/action.cfm
<div id="1001">
<span id="1001"
onclick="location.href='abc/action.cfm'">
<table><tr><td>info</td></tr></table>
</span>
</div>

Greetings Steve and other URLSessionFormat fans.
The remote file of a XMLHttp request (Spry) among other
things is trying to set two sessions.variables.
I have been told that if the remote file doesn't know the
session CFID & CFTOKEN the new session variables wil not be
recognized, and to avoid that I should use URLSessionFormat.
Now, my original Spry request look like this:
var request_URL
="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
Spry.Utils.loadURL("GET", request_URL, false, authBack);
which returns values as expected but does not set the session
variables, so I combine it with URLSessionFormat, like this:
var request_URL =
'#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';
The variable "request_URL" will render:
"/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"
which causes Spry to catch an exception while loading the url
and the request fails altogether.
Please note the " ; " semicolumn sign between the filename
"authenticate.cfm" and "jsessionid=" which is not like
CF7.1 example
"myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx"
found in livedocs.
Is either my code, macromedia example, or both wrong?
Or maybe it needs some tweaking and fixing to replace the
semicolumn and put the question mark in the right place?
Pulling quite a few hair here. Thanks for helping.

I need help I tried to use cloud backup on my iPhone 5.0.1 and after all my camera roll pictures are blurry and videos canot be played messege says URL not on this server ! Please help!! iPhone 4S, iOS 5.0.1

I need help I tried to use cloud backup on my iPhone 5.0.1 and after all my camera roll pictures are blurry and videos canot be played messege says URL not on this server ! Please help!!
iPhone 4S, iOS 5.0.1

Try updating to iOS 6.1.3.

REDIRECT JDBC URL WHEN USING DYNAMIC JDBC CREDENTIALS SO NOT HARDCODED

I have taken over an application that uses row-level security and ADF (using
dynamic JDBC Credentials). I have been able to set the internal_connection to
a JDBCDatasource, but cannot set the Connection Type in the Oracle Business
Component Configuration to a JDBCDatasource. When I do, I receive errors that
tables are not found. When I set the value back to a JDBC URL, everything
works fine again.
I am looking for a solution where the userid and password are not hardcoded in
the BC4J.xcfg or a way to redirect this information, as we change our system
passwords every nighty days. Otherwise, I will have to redeploy the
application every nighty days.
I did not create this application, but I am sure that you could simply follow
the "How to Support Dynamic JDBC Credentials" article. From that point, you
will probably be where I am, where I have the internal_connection set to a
JDBCDataSource and working properly, but cannot set the Connection Type to
anything where the userid and password will not be hardcoded or cause failure.
I wanted to let you know that I have
found the updated How to Support Dynamic JDBC Credentials
(http://www.oracle.com/technology/products/jdev/howtos/bc4j/howto_dynamic_jdbc.h
tml) and was going to run through the "Advanced: Supporting Dynamic JDBC URLs",
but once I was done keying in
env.remove(ConnectionStrategy.DB_CONNECT_STRING_PROPERTY); I received a
depreciation message on the DB_CONNECT_STRING_PROPERTY. (Note: I am coding in
JDeveloper 10.1.3, so this may be depreciated as of then, but the ADF Libraries
for JDeveloper 10.1.3 are on our Oracle 10gAS 10.1.2 server.)
I thought maybe this would resolve my issue, but I can't be sure as the
deprecation message leads me to believe that this solution may not be viable in
the future.
UPDATE
=======
The article you are referencing is definitely an older version.
There is a newer article for 10g at:
http://www.oracle.com/technology/products/jdev/howtos/10g/dynamicjdbchowto.html
Please see if that helps.
I have already reviewed this article.
In fact, I have reviewed many versions of this document. I have not seen one
created yet for 10.1.3 though (especially without JSF as our 10.1.2 AS server
will not support it). I need to find an example or documentation that shows
how we can keep from having the JDBC URL stored in the BC4J.xcfg or a way to
use dynamic JDBC credentials with a JDBCDataSource. We do not want to store
the userid and password in the application, rather, we would like to setup
something that can be configurable from the application server.
I think we need to use the dynamic JDBC credentials because we are using the
row-level security, where we setup a database context for the user and only
allow certain records of a database table to be returned to the browser based
on that context.
Might there be a way to still use the JDBCDataSource?

I understand that the user provides the userid and password and that these values are setup using the Configuration class.
However, when I am to deploy the ADF Business Module with my application, I have to specify either a JDBC URL or a JDBC DataSource in the Oracle Business Component Configuration.
When I use JDBC DataSource, the code does not work properly, almost like the user's credentials are not used for the connection (I get errors like table or view does not exist).
When I use the JDBC URL, the bc4j.xcfg stores a reference in the JDBCName attribute to a ConnectionDefinition in the same file. It is in this tag of the bc4j.xcfg where the userid, sid, and password (encrypted) is stored and used when retrieving the initial context of the ADF business components.
It is these values that I want to have stored else where so that the application does not have to be redeployed in order for the password (or sid, or other connection information) to be change.

Not using Blog Entry as part of the URL

hi all,
When I publish my iWeb site containing a blog to a folder, I noticed that some of the folder is using my bolg entry/topic as part of the folder name.
Is it possible to get iWeb not use this.
thanks in advance.

Here;s an entry on Kyn Drake's site that might help you:
http://ww2.makentosh.com/tipsfromtheiceberg/Blog/Entries/2008/6/22A_ShortURL.html

CFID & CFTOKEN

Hi there,
I’m creating a cart & payment system using
Coldfusion MX 6.1. I have two application servers which are load
balanced. So I cannot use sessions to track user logins and other
variables because if the load balancer diverts a request to the
other server where the session does not exist then the person will
be logged out.
So I’m forced to use client variables. I’m
against using cookies for better security. So the option left for
me is store client variables in database. So I’m using the
help of CFID & CFTOKEN to track logins and store client
variables in database.
Now the problem is I’m using URLSessionFormat function
to pass CFID & CFTOKEN to all pages after login. I have
following problems:
1) If I copy the URL, which contains the CFID & CFTOKEN,
close the browser and paste it in another browser window – it
opens up the page with out any authentication.
2) If I copy and paste the same URL on a browser window in
another PC, it works.
These two scenarios fail my security to the application. Can
anyone please advice a way to kill the CFID & CFTOKEN on
browser close or some mechanism to stop this occurring?
Any help is greatly appreciated.
Many thanks / Manu.

Greetings Steve and other URLSessionFormat fans.
The remote file of a XMLHttp request (Spry) among other
things is trying to set two sessions.variables.
I have been told that if the remote file doesn't know the
session CFID & CFTOKEN the new session variables wil not be
recognized, and to avoid that I should use URLSessionFormat.
Now, my original Spry request look like this:
var request_URL
="/petitions/client/remote/authenticate.cfm?username="+uName+"&password="+uPass;
Spry.Utils.loadURL("GET", request_URL, false, authBack);
which returns values as expected but does not set the session
variables, so I combine it with URLSessionFormat, like this:
var request_URL =
'#URLSessionFormat("/petitions/client/remote/authenticate.cfm?username='+uName+'&password ='+uPass+'")#';
The variable "request_URL" will render:
"/petitions/client/remote/authenticate.cfm;jsessionid=7e301d2f98475b4d5f10?username="+uNa me+"&password="+uPass&CFID=300&CFTOKEN=11985066"
which causes Spry to catch an exception while loading the url
and the request fails altogether.
Please note the " ; " semicolumn sign between the filename
"authenticate.cfm" and "jsessionid=" which is not like
CF7.1 example
"myactionpage.cfm?jsessionid=xxxx;cfid=xxxx&cftoken=xxxxxxxx"
found in livedocs.
Is either my code, macromedia example, or both wrong?
Or maybe it needs some tweaking and fixing to replace the
semicolumn and put the question mark in the right place?
Pulling quite a few hair here. Thanks for helping.

Missing session variables and multiple CFID/CFTOKEN

We are using ColdFusion 9.0.1 and have recently started to experience some sporadic behavior in our applications. These applications have worked without error for over 6+ years and have not been modified during this time.
Over the past couple of weeks, we have been receiving calls in regards to users not being able to login and receiving errors when performing various actions. We have put troubleshooting measures in place that display values when this occurs.
We have noticed that when the errors occur, there are multiple CFID/CFTOKEN COOKIE values. Additionally, session variables are being dropped (during simple tasks such as going from one screen to the next). These errors do not occur for the majority of users and have primarily occurred in Internet Explorer, but we have had some instances in other browsers. In most instances, if the user switches browsers, the same application works fine for them.
In one particular case, we have a <cfif> tag in the application.cfm file that checks for “session.user_id”. If it doesn’t exist, the user is directed to a login page using the <cflocation> tag. When experiencing the problem, users are continuously going back to the login screen because the system is saying that the session variable does not exist.
When working with one user who was experiencing this problem, we were able to remedy the problem by adding “addtoken=’yes’” to the cflocation tag. ** We do not prefer to do this for security reasons.
Rather than go through each application and try to “band-aid” each instance that occurs, can anybody offer some suggestions on why this behavior recently began and how we may be able to globally address it?

My immediate guess is that there is faulty logic in the code that updates the value of session.user_id. Apparently, one of the following scenarios might be happening.
Coldfusion creates a session, X, say. Session.user_id is as yet undefined, so ColdFusion cflocates the user to the login page. The user logs in, still within session X. His session.user_id is set.
Suppose, for whatever reason (and I know of at least two), the session drops. The user's very next request will make ColdFusion to create a new session, Y, say. Under session Y, the variable session.user_id, which corresponded to session X, will no longer exist. So ColdFusion cflocates the user to the login page. This cycle will of course repeat if left uncorrected.
Another possible scenario is that the variable session.user_id is not set at all, or is set in the context of a new session. I am assuming that the login page is a form. Then login validation occurs at the action page of the form. Presumably the variable session.user_id is set at this action page. If so, then perhaps ColdFusion fails to set this variable, or a new session is created as the request goes from the login-form page to the action page.
The 2 main reasons why a session drops are 1) it times out, 2) a new request starts a new session. Hence the following suggestions.
1) Is your sessionTimeout value low, say, just a few minutes? If so, increase it to 20 minutes.
2) Remember that the default behaviour of ColdFusion is to start a new session at every request. Use cflogin and cfloginuser together with loginStorage="session". Cflogin executes only if there is no logged in user, irrespective of the session. Therefore, getAuthUser() is a better authentication test than session.user_id.
3) Use Application.cfc in place of Application.cfm. In particular, the CFC offers you more fine-grained control over the beginning and end of sessions.

Viewing active sessions (cfid/cftoken or J2EE sessionid)?

Hello... is it possible to view the active sessions, whether cfid/cftoken or the J2EE sessionid for any given site on my server? I believe you can store client variables in a datasource, but I don't believe you can do this with the cfid/cftoken or J2EE sessionid correct? I'd really like to be able to query these values. I'm using CF 7.02 now but will be moving to CF 9, so if it's a feature there that'd be great.

You can do it per application... but I'm not sure if there's a way of pulling out all the applications running on a given server. The last time I looked for that sort of thing, I seem to recall not finding it (that's not to say it's not there: I just couldn't find it!).
But for all sessions within an application: do a google on "cf sessiontracker". Various people have blogged about how to do what you need (if not exactly what you need, then enough to get you going in the right direction).
I thought I had some sample code that demonstrates it, but I don't :-(
Adam

JSessionID, CFId/CFToken-Which is predictable?

I have results from our the new and improved PCI scan and it
comes up with one Medium risk vuln.
Description: The remote web application is using predictable
cookie-based session IDs. Ideally, session IDs are randomly
generated numbers that cannot be guessed by attackers. If the
session ID is predictable, an attacker could hijack an active
victim's session, allowing the attacker to interact with the server
as though they were the victim. If the session ID is used to track
the state of authentication, the session ID of an authenticated
user could be guessed, bypassing any need for a username or
password. In the case of this server, the session ID was found to
have an insignificant number of changes between session IDs, which
makes guessing very easy.
Remediation: The software needs to be either configured or
modified to generate random session IDs.
I currently have enabled
Use J2EE session variables
Assuming I'm getting flagged because of cfid/cftoken
predictablility I've setClientCookies = "no" and
clientmanagement="no" and restarted the service and everything
seems to be working with jsessionids alone... are there any
pitfalls to watch out with not using cfid/cftoken?
basic question before I pay for another scan is:
I was under the impression that jsessionids were the most
secure and a better alternative than cfid/cftoken. Is that not the
case?
EDIT: The scan occurred before I made the client variable
changes to the applicaiton.cfm (so I had both jsessionid and
cfid/cftoken being set) As of now only jsessionid is being set

based on what OWASP has to say
OWASP says
"Best practice calls for J2EE session management. In the
event that only ColdFusion session management is available, strong
security identifiers must be used. Enable this setting to change
the default 8-character CFToken security token string to a UUID.
http://www.owasp.org/index.php/Configuration"
It looks like the J2EE sessions are the way to go.
I believe the reason for the PCI flag is that the scan (at
least the one from the service we use) was looking at CFID alone. I
assume this because cftoken -was- set to use uuid so it should have
been secure. The scan probably doesn't know that cfid and cftoken
are used in conjunction. So in a way this is a false positive.
Based on the new standards coming in it is enough to be out of
compliance.
solution to be in compliance is to set clientmanagement="no"
and setclientcookies="no" in application.cfm so that cfid and
cftoken are not set at all By using only the jsessionid, you are
following best practices from OWASP and also get the benefits of
session end on browser close
Other thoughts still welcome

Adoption of CFID/CFTOKEN from request for new session

Hi
We've noticed that ColdFusion automatically uses CFID/CFTOKEN
from the request, if there's no session available for this token
combination and ColdFusion creates a new session. Is there a way to
tell ColdFusion that it shouldn't use the values from the request
but generate a pair of its own?
Regards
Sargon

10.12 is the latest and greatest SW version for the device (from mid-2010).
I'm sad to say, but this device model has been out of production already for a long while and no new SW releases can be expected. Also some of the things you listed are such, which would not even be fixable by new SW version, but would require other changes.
you could probably try updating e.g. the browser app to a newer version via http://download.browser.ovi.com.
http://www.microsoft.com/en/mobile/nokia-x-updates/
http://www.microsoft.com/en/mobile/nokia-x2-update/
http://www.microsoft.com/en/mobile/asha-software-update/
http://www.microsoft.com/en/mobile/support/software-update/wp8-software-update/
http://www.developer.nokia.com/Community/Wiki/Nokia_firmware_change_logs
https://twitter.com/LumiaSWUpdates

SQL Agent Job failing - not using credentials in the config file for Data source

Hi
We have an SSIS pkg, that is secheduled as SQL Agent job using proxy account. The pkg contanins data source for connecting different SQL servers and the proxy account do not have access to the external DBs. The data source credentials are stored in the Config
file.
Why the job is not using the credentials in the config file and try to use the proxy account and failing.
Do the proxy account need access to all the external dbs in the pkg, and then what is the purpose of the config file.
I am sorry, i am not SSIS person trying to understand. If any one can explain tha will be great!!
Thank you!
VR

Please take a look at these URLs:
Schedule a Package by using SQL Server Agent
SSIS package does not run when called from a SQL Server Agent job step
Cheers,
Saeid Hasani
Database Consultant
Please feel free to contact me at [email protected] as well as on Twitter and Facebook.
[My Writings on TechNet Wiki] [T-SQL Blog] [Curah!]
[Twitter] [Facebook] [Email]

Which URL to use to open a financial report from a Task list ?

Hi,
I've got a big issue in Hyperion Planning : I do not know which URL to use to open a financial report from a task list.
If I use the Smartcut (given when you do a right-click on the report, then Properties), a tab is opening (normal behaviour), but another tab is opening under the tab, which is very ugly, and moreover which prevent from using the PDF/HTML display icons !
Is someone know which URL to use to display correctly a financial report when opening it from a task list ?
It's an emergency, please help !
Thanks very much.
Virgile.
PS. : we use Internet Explorer 8 and we use 11.1.2.1 Hyperion Planning version
Edited by: 808808 on Jan 5, 2012 3:41 AM

Hi,
OK, thanks, it almost works !!
I've just a problem. 2 tabs are opening.
One is opening correctly and displays my report. I can display it in PDF/HTML.
But another tab is opening with this message : This window can now be closed since the application has been launched in a separate window. Note: Popup blockers may prevent this application from working properly.
Do you know why this tab is opening ?
Thanks very much for your help.
Virgile.

How to download a pdf file in external storage(sd-card) not use a isolated storage wp8

i have a url for download pdf file return by webservices
and i have attach this link in hypertext button this is start a download but in browser . and when i am google for this purpose the give me "
Background file transfer
" Process and then code is also using a isolated storage but i want a external storage process Please Help me
how to download a pdf file in external storage(sd-card) not use a isolated storage wp8

Hello,
This forum is for discussions and questions regarding profiles and Microsoft's recognition system on the MSDN and TechNet sites. It is not for products/technologies.
As it's off-topic here, I am moving the question to the
Where is the forum for... forum.
Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join ('6F6C646B61726C40686F746D61696C2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

When i send a page from a website to my printers email address, it only prints the url not the page

I have a Photosmart D110 all in one and just bought a Asus Transformer tablet. I`ve downloaded the eprint app and every time I share a page from a website via email to my printers email address it only prints the URL not the actual webpage. Also when I click the share option it gives me the option to share with the eprint app, but when I do it say it can't read or support the file due to paper size not being selected.
This question was solved.
View Solution.

Hi,
The HP ePrint does not support web pages printing
Printing Web pages through email is currently not supported. HP is in the process of developing solutions to support Web page printing for mobile devices.
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02881579&cc=us&dlc=en&lc=en&product=5058336#N91...
You may print web pages using the HP ePrint Home & Biz app by using its integrated web browser:
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c01616126&lc=en&cc=us&dlc=en&product=3857218#N58...
Regards,
Shlomi
Say thanks by clicking the Kudos thumb up in the post.
If my post resolve your problem please mark it as an Accepted Solution

URL not found error while loading photo on Linux

Hi,
I have a AIR 2.0 appliaction which works perfectly well on Windows but while I run it on Linux Loader object can't load any photo. I tried many path variations but I always get Error #2035: URL Not Found.
Here's how I load a photo (with hard coded URL)
_imageLoader.load(new URLRequest("/home/piotr/105755/damage_photos/17.jpg"));
I'm sure that "/home/piotr/105755/damage_photos/" path is correct. I pasted it to files explorer address text input and expected directory was opend. I'm also sure that 17.jpg file exists in that directory.
When I trace IOError message it says: Error #2035: URL Not Found. URL: app:/home/piotr/105755/damage_photos/17.jpg
My questions are:
What "app:" does in my URL... can it cause the problem? If yes, how can I get rid of it?
Is there anything specific about UNIX systems and Loader that should I know about?
How can I load file from hard drive other way than by Loader object?
I use AIR 2.0 SKD, Flex 4.5 SKD and Ubuntu 10.04. Could anyone help me, please?

Hi,
Just a test, can you try to do this:
var f:File = new File(File.userDirectory.nativePath+File.separator+"105755"+File.separator+"damage_photos" +File.separator+"17.jpg");
_imageLoader.load(new URLRequest(f.url));

CFID/CFTOKEN in URL Not Used

Similar Messages

Maybe you are looking for