Client scope in blaze ??

Hi all,
we're integrating blazeds in a portlet environment for use with vine toolkit ( vinetoolkit.org ) grid framework. We have some issues on that - especially with scoping. We know that there are request, session and application scopes. We're wondering if there is something like a client scope - tied to the, let say, swf lifetime. In that case whenever page is refreshed with user request - client scope is being recreated.
Another usecase for that would be to have 2 copies of swf within a page. In a client scope data from those clients would go to 2 different objects. Currently, as for request scope - it's the same, but without persistence, and for session and application is a one object.
Thanks in advance for any clues.
Regards,
Piotr Dziubecki

It seems that not for every SWF, a new FlexClient is created on the server. When loading Flex modules (in separate swf files of course) no new FlexClient is created.
Is there any way to discover the opening of a module in a Flex application on the server?
This could be especially useful when developing business applications in which individual modules should not interfere each others session data and transaction management procedures. Did anyone find a solution for this situation?

Similar Messages

  • Help with expiring client scope

    Hi,
    I have a website that uses the client scope for its shopping cart. Im having a problem with expiring the client scope. What happens is when I make changes to the site that effect cookies, people who havce old cookies or client on there system get an error message and I for the life of me cannont figuer out a way to have the scope say expire when they leave the page or close the browser.
    THanks for any help.
    Mike.

    Well, the web being stateless, it's not easy to auto-logout if a person just 'leaves' your website - the server just doesn't know they've gone.  If they actually 'log out'  you 'could' clear all their cookies using the cookie scope, but other than that maybe set a short expire on the client scope so that if a person does leave your site it won't be long before they time out and have to get new client vars next time.
    By the way, the client scope is not encouraged by Adobe (or so I seem to remember in the past).  Is there any reason you need to use it?  Would the session scope be more suited?  I KNOW it's faster, but not persistent unless you serialise the session scope via wddx (which you can do - emulating client scope when needed).

  • CF 10 Clean Install - Sessions Broken

    Hi all,
    My firm recently upgraded to all new CF 10 servers (clean install no upgrade), and we are going through testing before we launch them in production.
    I have come across an issue where the sessions are not being maintained across requests.
    The application login functionality no longer works at all... testing the same code on CF9 yields expected and desired results.
    To test, I created a folder with an Application.cfc and an index.cfm.
    I placed a copy of the folder on the root of both the CF9 and CF10 servers.
    Loaded the index.cfm page on each and then just hit the refresh button on the browser.
    All the index.cfm page does is dump the session & cookie scopes.
    RESULTS
    CF9:
    - SESSIONID stays the same upon each requestion
    - CFID stays the same
    - CFTOKEN stays the same
    ...as expected results
    Initial Page Load:
    struct
    sessionid
    8430fefbf6988bab4bbc3724627d6a323351
    urltoken
    CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351
    username
    Bill
    struct
    CFID
    64848
    CFTOKEN
    25813868
    JSESSIONID
    8430fefbf6988bab4bbc3724627d6a323351
    Refresh 2:
    struct
    sessionid
    8430fefbf6988bab4bbc3724627d6a323351
    urltoken
    CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351
    username
    Bill
    struct
    CFID
    64848
    CFTOKEN
    25813868
    JSESSIONID
    8430fefbf6988bab4bbc3724627d6a323351
    Refresh 3:
    struct
    sessionid
    8430fefbf6988bab4bbc3724627d6a323351
    urltoken
    CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351
    username
    Bill
    struct
    CFID
    64848
    CFTOKEN
    25813868
    JSESSIONID
    8430fefbf6988bab4bbc3724627d6a323351
    CF10:
    - SESSIONID changes on everye SECOND request
    - CFID changes every request
    - CFTOKEN changes every request
    ...not as expected whatsoever
    Initial Page Load:
    struct
    sessionid
    BBEB2834CFE5CABC214714BC9984C35B.cfusion
    urltoken
    CFID=2199631&CFTOKEN=87302470&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusion
    struct
    CFID
    2199631
    CFTOKEN
    87302470
    JSESSIONID
    A8374BAF078DCD9216870113F0A7E32B.cfusion
    Refresh 1:
    struct
    sessionid
    BBEB2834CFE5CABC214714BC9984C35B.cfusion
    urltoken
    CFID=2199791&CFTOKEN=22231763&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusion
    struct
    CFID
    2199791
    CFTOKEN
    22231763
    JSESSIONID
    BBEB2834CFE5CABC214714BC9984C35B.cfusion
    Refresh 2:
    struct
    sessionid
    1C3645A75E85F7AEDAEBA9F90474DF83.cfusion
    urltoken
    CFID=2199867&CFTOKEN=96194295&jsessionid=1C3645A75E85F7AEDAEBA9F90474DF83.cfusion
    struct
    CFID
    2199867
    CFTOKEN
    96194295
    JSESSIONID
    BBEB2834CFE5CABC214714BC9984C35B.cfusion
    WTH???
    Here is a copy of my Application.cfc:
              @title "Application.cfc reference in CFScript for Coldfusion 9"
        @description "This component includes all Application.cfc methods and variables, set to their default values (if applicable). Please note that default values are not always desirable, and some methods or variables should be modified or removed depending on the situation."
              @author "Russ Spivey (http://cfruss.blogspot.com)"
        @dateCreated "November 29, 2009"
        @licence "This work is licensed under the Creative Commons Attribution 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA."
              @hint "You implement methods in Application.cfc to handle ColdFusion application events and set variables in the CFC to configure application characteristics."
    component output="false" {
              /* **************************** APPLICATION VARIABLES **************************** */
              // The application name. If you do not set this variable, or set it to the empty string, your CFC applies to the unnamed application scope, which is the ColdFusion J2EE servlet context.
              THIS.name = "Test";
              // Life span, as a real number of days, of the application, including all Application scope variables.
              THIS.applicationTimeout = createTimeSpan(0, 1, 0, 0);
              // Whether the application supports Client scope variables.
              THIS.clientManagement = false;
              // Where Client variables are stored; can be cookie, registry, or the name of a data source.
              //THIS.clientStorage = "registry"; //cookie||registry||datasource
              // Contains ColdFusion custom tag paths.
              THIS.customTagPaths = "";
              // The Google Maps API key required to embed Google Maps in your web pages.
              THIS.googleMapKey = "";
        // Name of the data source from which the query retrieves data.
        THIS.datasource = "";
              // Whether to store login information in the Cookie scope or the Session scope.
              THIS.loginStorage = "cookie"; //cookie||session
              // A structure that contains ColdFusion mappings. Each element in the structure consists of a key and a value. The logical path is the key and the absolute path is the value.
              THIS.mappings = {};
        // Whether to enable validation on cfform fields when the form is submitted.
        THIS.serverSideFormValidation = true;
              // Whether the application supports Session scope variables.
              THIS.sessionManagement = true;
              // Life span, as a real number of days, of the user session, including all Session variables.
              THIS.sessionTimeout = createTimeSpan(0, 0, 20, 0);
              // Whether to send CFID and CFTOKEN cookies to the client browser.
              THIS.setClientCookies = true;
              // Whether to set CFID and CFTOKEN cookies for a domain (not just a host).
              THIS.setDomainCookies = false;
              // Whether to protect variables from cross-site scripting attacks.
              THIS.scriptProtect = false;
              // A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.
              THIS.secureJSON = false;
              // The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.
              THIS.secureJSONPrefix = "";
              // A comma-delimited list of names of files. Tells ColdFusion not to call the onMissingTemplate method if the files are not found.
              THIS.welcomeFileList = "";
              // A struct that contains the following values: server, username, and password.If no value is specified, takes the value in the administrator.
              THIS.smtpServersettings = {};
        // Request timeout. Overrides the default administrator settings.
        THIS.timeout = 30; // seconds
        // A list of ip addresses that need debugging.
        THIS.debugipaddress = "";
        // Overrides the default administrator settings. It does not report compile-time exceptions.
        THIS.enablerobustexception = false;
        /* ORM variables */
        // Specifies whether ORM should be used for the ColdFusion application.Set the value to true to use ORM. The default is false.
        THIS.ormenabled = false;
        // The struct that defines all the ORM settings. Documentation: http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSED380324-6CBE-47cb-9E5E-26B66ACA9E 81.html
        THIS.ormsettings = {};
        // note: THIS.datasource applies to cfquery as well as ORM. It is defined on line 31.
              /* **************************** APPLICATION METHODS **************************** */
            @hint "Runs when an application times out or the server is shutting down."
            @ApplicationScope "The application scope."
              public void function onApplicationEnd(struct ApplicationScope=structNew()) {
                        return;
                  @hint "Runs when ColdFusion receives the first request for a page in the application."
              public boolean function onApplicationStart() {
                        return true;
            @hint "Intercepts any HTTP or AMF calls to an application based on CFC request."
            @cfcname "Fully qualified dotted path to the CFC."
            @method "The name of the method invoked."
            @args "The arguments (struct) with which the method is invoked."
        public void function onCFCRequest(required string cfcname, required string method, required string args) {
                        return;
            @hint "Runs when an uncaught exception occurs in the application."
            @Exception "The ColdFusion Exception object. For information on the structure of this object, see the description of the cfcatch variable in the cfcatch description."
            @EventName "The name of the event handler that generated the exception. If the error occurs during request processing and you do not implement an onRequest method, EventName is the empty string."
            note: This method is commented out because it should only be used in special cases
              public void function onError(required any Exception, required string EventName) {
            return;
            @hint "Runs when a request specifies a non-existent CFML page."
            @TargetPage "The path from the web root to the requested CFML page."
            note: This method is commented out because it should only be used in special cases
              public boolean function onMissingTemplate(required string TargetPage) {
                        return true;
            @hint "Runs when a request starts, after the onRequestStart event handler. If you implement this method, it must explicitly call the requested page to process it."
            @TargetPage "Path from the web root to the requested page."
            note: This method is commented out because it should only be used in special cases
              public void function onRequest(required string TargetPage) {
                        return;
            @hint "Runs at the end of a request, after all other CFML code."
              public void function onRequestEnd() {
                        return;
            @hint "Runs when a request starts."
            @TargetPage "Path from the web root to the requested page."
              public boolean function onRequestStart(required string TargetPage) {
                        return true;
            @hint "Runs when a session ends."
            @SessionScope "The Session scope"
            @ApplicationScope "The Application scope"
              public void function onSessionEnd(required struct SessionScope, struct ApplicationScope=structNew()) {
                        return;
            @hint "Runs when a session starts."
              public void function onSessionStart() {
                        return;
    So did Adobe really ship a broken product??
    Here are a list of other people with the same issues:
    http://forums.adobe.com/message/5692829
    http://forums.adobe.com/thread/1017340
    http://forums.adobe.com/thread/1022637
    http://forums.adobe.com/thread/1272465
    http://forums.adobe.com/message/5696193
    https://bugbase.adobe.com/index.cfm?event=bug&id=3572565
    http://www.petefreitag.com/item/817.cfm
    http://forums.adobe.com/thread/1199835
    I have spent several days at this... if I missed some obvious conifiguration I would be upset with myself, but releived it was fixable. As of right now, I can't move my code to this new production environment as logging into the application is not even possible.
    Thanks

         ISSUE RESOLVED:    
         BKBK,
         You were correct...
         I failed to mention that the application that is dropping the session is also using the Portcullis XSS/SQL Injection prevention script from RIAForge.
         It is not listed as being compatible with CF10... removing it has resolved my issue entirely and the sessions are now being maintained.
         Thank you all for your responses.
         Regards,
         John
    BKBK wrote:
    John.Elkins wrote:
     We are not using cflogin...
    However, some other login process is apparently involved in the page request. That can start up a new session, if not coded properly.
    In fact my guess is that that is what is happening. In any case, this is about whether or not session is maintained. To test this cleanly, you have to exclude all code involved with the login process.

  • J2EE session variables & Non Random Session IDs

    Our server keeps failing our PCI compliance test due to the Session ID's being non random.
    Description: Web Server Uses Non Random Session IDs       Synopsis: The remote web server generates predictable session IDs.      Impact: The remote web server generates a session ID for each connection.  A session ID is typically used to keep track of the actions of a user while he visits a web site.  The remote server generates non-random session IDs.  An attacker might use this flaw to guess the session IDs of other users and therefore steal their session.  See also : http://pdos.csail.mit.edu/cookies/seq_sessionid.html        Data Received: Sending several requests gives us the following session IDs : CFID=896744 CFID=896745 CFID=896746 CFID=896747 CFID=896748      Resolution: Configure the remote site and CGIs so as to use random session IDs.       Risk Factor: Medium/ CVSS2 Base Score: 6.4       AV:N/AC:L/Au:N/C:P/I:P/A:N
    We are using J2EE session variables which I though was the more secure option. Is there something else you have to do to guarentee that the Session ID's are non random or is this the Compliance test picking up on a false positive?
    P.S. It's a recent migration to CF10, don't know if that has anything to do with it.

    Personally, I use the client scope instead of the session scope so that I don't have to worry about sticky sessions.  That has always worked out nicely for me.
    I read that article you referenced, and it's got some interesting stuff.  In particular, I have seen the client scope database tables not purge as they're supposed to.  And the stuff about preparing, executing, and then unpreparing SQL statements on each request is alarming, if true.
    However, I have to say that I have never, ever, ever, ever had performance issues due to client variables.  Not once.  Whatever performance hit my application may incur from using client variables has, to this point, been completely dwarfed by the performance of the application itself.  And, c'mon, the stuff about being lazy because you don't want to spend precious engineering time worrying about something like session management (which is never going to add value to your product) rather than coding something actually useful to your end users...that seems overly harsh to me.
    I completely agree that storing client vars in the Windows Registry is bananas, as is the defualt 90 day purge limit (though as of CF 9.0.whatever, the default is 1 day, 7 hours, so clearly they've made some changes since this article was written).  But I'm loathe to throw away client-based management.
    I think, getting back to the issue at hand, that this may be a false positive.  CFID is sequential, but CFTOKEN is not; that should really be the end of the story.  I'll see if McAfee will listen.  (-;

  • Do I need to enable clientmanagement?

    If I never reference the client scope, do I need to enable
    clientmanagement in application.cfm. I'm using CF6.1 and 7. I
    currently have variablestorage in a db and I occasionally have
    problems with the variablestorage db locking and blocking the cf
    applications. I was hoping that since I never use the client scope
    in this app I could disable it altogether.

    If you don't use it you should definately be sure
    clientmanagement is disabled. If it's set to yes in application.cfm
    the server will use alot of resources that could be used for other
    things, especially if set to default storage which is
    registry.

  • Passing structure vars

    I'm working on an authentication page and I'm setting user
    variables inside a structure. When I use a structure to set user
    variables and redirect to a landing page, the structure data does
    not persist. When I use sessions for each user variable, the
    structure persists. I'd prefer to use a structure, but what am I
    missing here? How do I get the structure to persist?

    Put the structure into the session so it persists
    <cfscript>
    session.piuser = structNew();
    session.piuser.authenticated = 1;
    session.piuser.username = auth_user.displayname;
    </cfscript>
    For any variable to exist from one request to another it must
    be in one
    of the persistent scopes. Whether the variable is simple or
    complex,
    you must place it into the session, application or server
    scope for it
    to be available on future requests.
    The one issue to this is that the cookie and client scopes do
    not allow
    complex variables without translation. But that is not often
    an issue.
    But when it arises, WDDX can be used to good effect.

  • SPDD query

    Hi Experts,
    We are doing SPDD activity for an upgrade from 4.7 to ECC 6.0. Client has only EN language.
    We have come across 2 SPDD changes :-
    Request your inputs on the following points :-
    1     New Field added to an Index in ECC 6.0. Should we reset to original for such change ?      
    2     "No Database Index" flag set in ECC 6.0. Should we reset to original ?
    3     Existing Field deleted from Index . Should we reset to original ?     
    4     MASTERLANG field has been set with TL flag to X  . How do we proceed with this.
    I feel above changes would have performance impact if the indexes are used.
    Please let me know how to proceed in such scenarios.
    Thanks,
    Best regards,
    Prashant

    Hi Prasanth,
    First of all, doing reset to original or adopt modification activities are depends on client scope, iff client has given specific scope of work with all these then we should follow as per that, otherwise as per the standard
    1.if any field added in ECC 6.0 by SAP then its to be reset to original
    2.If "database index" flag sets in 4.7 and u need the same then go for adopt modification
         iff database index flag not needed for you, then go for reset to original
    3.Existing field(4.7) deleted from Index, iff the filed is used in anywhere or if you wish to continue with that field then go for adopt modification
        if that field was not at all used anywhere then go for reset to original
    4. "MASTERLANG field has been set with TL flag to X" if you wish to continue the as it is in 4.7, then go for adopt modification
    otherwise go for reset to original.
    I will give you one example,
    in one of my upgrade project, as per the SAP standards some of the objects are supposed to go for "Adopt modification", but after doing that client sent mail like dont go for adopt modification with out asking us, they needs everything should be reset to original.
    Like that iff client is having certain criteria then we should follow that otherwise follow Standard approaches which are mentioned above for your requirement.
    Regards
    Arani Bhaskar

  • Shopping Cart using Coldfusion

    Hi, I am relatively new to Coldfusion and I am wondering how to create a shopping cart for a website using coldfusion. Thanks

    This is probably going to come across to you as unnecessarily snarky, but your request is analogous to "I am relatively new to architecture and engineering and I am wondering how to create a skyscraper". The short, glib answer is that you have to learn architecture and engineering first.
    You will need to learn the basics of the language, and you'll have to learn how to track and persist user-specific values using something like the Session or Client scopes. You will need to learn how to store user-specific and non-user-specific values within a relational database, and fetch them as needed.
    Dave Watts, CTO, Fig Leaf Software
    http://www.figleaf.com/
    http://training.figleaf.com/

  • DDNS ownership of record question

    We have two Window 2012 r2 DHCP servers (no other function)
    IPv4 is set to "Dynamically update DNS A and PTR records only if requested by the DHCP clients"
    Scopes are configured to "Always dynamically update DNS A and PTR records"
    "Discard A and PTR records when lease is deleted are set on both"
    The servers don't use DHCP credentials and no servers are in DNSUpdateProxy group
    With all this I would expect DHCP clients to have A and PTR records to be owned by a DHCP server but the records are owned by the computer accounts.
    These particular clients are unique in that they are DHCP reservations whose IP addresses are in the same subnet as the scope but are not part of the scope Address Pool. This was doable in w2k3 dhcp, wasn't doable in W2k8 r2
    dhcp and is again doable in w2k12 r2 dhcp
    My question is - based on this configuration - do the scope option 81 settings apply to these clients with reservations - in which case I don't understand why the computer accounts own the A and PTR records
    Or, do the IPv4 option 81 settings apply to the clients since the addresses are not part of the scope address pool - in which case I understand why the computer accounts own the A and PTR records
    Thanks

    Hi,
    Before going further, thanks for coming back and letting me know that my first reply didn’t help
    resolve our problem.
    The reason why I provided the above suggestion is:
    The priority for DHCP settings is
    reservation >
    scope policy >
    server policy >
    scope-level >
    server-level.
    If the setting of reservation is different from the setting of scope, the setting of scope will not take effect.
    Therefore, if we select the
    Dynamically update DNS records only if requested by the DNS clients
    in the Properties dialog box of the reservation, DHCP server will not register the DNS recorder until clients request.
    For fully patched, I mean to get the system updated to the latest. However, for this is a production environment, it’s really up to you to make the call.
    Now, in order to further troubleshoot the issue, we can enable the DNS debug log, and if necessary, you may upload the log to Onedrive and provide us the download link.
    Best Regards.
    Steven Lee
    TechNet Community Support

  • IP Addressing / Subnetting for AP's connected to 4404 controllers?

    Is there a pro/con, or best practice regarding the ip addressing for your AP's when having them connected to wireless controllers?
    Basically I am trying to decide if the AP's should just use the same VLAN and subnet as what the wireless clients will use, or something different?
    I know that part of the LWAPPs process for finding controllers depends on it grabbing a DHCP address which if you configure the switch port right for the AP according to the deployment guide you are setting the access vlan to that which your wireless clients will use. So the AP will grab DHCP from the client scope then broadcast out on that subnet looking for a controller.
    So far all seems fine and good, and I know you can change the IP address of the AP if you want once it is homed into the controller. But I simply don't know if there is a best practice regarding this.
    Leave the APs IP on same subnet/vlan as the wireless clients or move the AP's to a new one.
    Maybe I am over thinking this, and it really doesn't matter?
    I have two controllers at two main locations, each going to support about 15 AP's. Same SSID at each location and using PEAP.
    Thinking about basically allocating two class c's one for each location for the wireless clients and just do some reservations from each class c scope for the AP's.
    What would be the negatives of doing things this way? Any suggestions or pros/cons would be appreciated.

    Ok so it seems from replies here and in other forums that the wireless clients should be on their own vlan, seperate from the AP's and controllers.
    Which leads me to another question, should the AP's and Controllers be on the same, not be on the same or doesn't matter?
    One pro of being on the same vlan and subnet is the AP's can easily home in to the controller since it will broadcast out to its subnet looking for a controller.
    Any con to this?

  • Using Java to Send Message to BlazeDS

    Hello all, maybe you can help me with my problem.
    I've created a very simple java program that should have no problem sending a message to BlazeDS.
    Java App Code
    import   flex.messaging.MessageBroker;
    import   flex.messaging.messages.AsyncMessage;
    import   flex.messaging.util.UUIDUtils;
    public   class BlazeDSTest
        public static void main(String[] args) 
              MessageBroker msgBroker = MessageBroker.getMessageBroker(
    null);
              String clientID = UUIDUtils.createUUID();
               AsyncMessage msg = new AsyncMessage();
              msg.setDestination(
    "chat");
              msg.setClientId(clientID);
              msg.setMessageId(UUIDUtils.createUUID());
              msg.setTimestamp(System.currentTimeMillis());
              msg.setBody(1);
              msgBroker.routeMessageToService(msg,
    null);
    ok, pretty simple.  Now i'm getting a null pointer exception error when i try to run the routeMessageToService function.
    Either i don't have my config,services xml set right or what, i have no idea why it can't find the message channel "chat".
    I know it's in there.  I see it under the BlazeDS samples.  Is there something i need to set to specifically target a certain "folder" in blaze ds?
    I want this java program to just run on the server (that blazeDS is installed on), anywhere in the os.
    So like this....
    JavaApp Runs -> JavaApp gets message from outside source -> JavaApp sends messages to BlazeDS -> Clients subscribed to Blaze get message
    Pretty easy...but i'm beating my head.  Anyone please?
    Thanks!
    -kevin

    Hi
    With the new 4.6 version of Adobe Data Services, you can also create Java (desktop/Android) and JS/ObjectiveC applications that can communicate with a messaging destination.
    http://help.adobe.com/en_US/dataservicesjee/4.6/Developing/WS4976f0ec3ef48246-681f784e12dc 3e803c6-8000.html
    Regards,
    Ashish Vashisht

  • Create cfset with cfloop?

    I need to be able to iterate through some submitted form
    variables, and create a cfset for each. Unfortunately, what I have
    tried isn't working. Any thoughts?
    Current code below:
    <cfloop list="#fieldnames#" index="i">
    <cfset client.#i#="#Evaluate(i)#">
    </cfloop>

    use associative array notation:
    <cfloop list="#form.fieldnames#" index="field">
    <cfset client[field] = form[field]>
    </cfloop>
    make sure none of your form's fields have name as one of
    reserved
    client-scope vars!!!
    reserved client scope vars:
    Client.CFID
    Client.CFToken
    Client.HitCount
    Client.LastVisit
    Client.TimeCreated
    Client.URLToken
    hth
    Azadi Saryev
    Sabai-dee.com
    http://www.sabai-dee.com/

  • Ip source guard feature and dhcp DHCP scope exhaustion (client spoofs other clients)

    Hi everybody.
    A dhcp server assigns ip adress based on mac address carried by client hardware field in dhcp packets.
    One potential attack is when a rogue host mimics different mac addresses and causes dhcp server to assign the ip addresses until no ip address is left for legitimate host.
    For e.g a host h1 with mac1 has assigned ip address by dhcp server as:
    199.199.199.1 mac1
    Dhcp server has the above entry in its database.
    Using hacking tools such as Yersinia or Gobbler one can create a dhcp discover messages each time creating a different mac for client hardware field in dhcp server thereby causing a dhcp server to assign ip addresses because to dhcp server , these are legitimate dhcp discover messages with each carrying a different mac in client hardware addresses.
    You might say use dhcp snooping and it will prevent that (  dhcp scope exhaustion) and configure the switch to check if src mac matches the client hardware address in dhcp message. But still we can creat spoofed discover messages where src mac in ethernet header will match the client hardware address in dhcp discover message. We still did not overcome the problem.
    You might say use IP source guard feature but will it really prevent that problem from happening?
    Let me illustrate it :
    h1---------f1/1SW---------DHCP server
    Let say we have configured dhcp snooping on sw1 and f1/1 is untrusted port.  The switch has following dhcp binding
    199.199.199.1    mac1   vlan1  f1/1
    Next we configure ip source guard to  validate both src mac and src ip against the dhcp bindings  . When  we configures ip source guard first  , it will allow dhcp communication only so a host can request ip address and a dhcp binding can be built. After that ip source guard will validate src ip or src mac or both against the dhcp binding.depending upon how we configure ip source guard.
    In our case we have configured ip source guard to validate both src mac and src ip against the dhcp binding.
    A dhcp binding is already created as:
    199.199.199.1 mac1 vlan 1 f1/1
    Now using the hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discover message  where src mac=mac2 in ethernet header and  client harware address= mac2 in dhcp discover message. Since switch is configured with ip source guard feature and therefore allows dhcp discover message to pass through. Dhcp server upon receiving the dhcp message assigns another ip address from the pool. Now the dhcp server has following entries:
    199.199.199.1 mac1
    199.199.199.2 mac2.
    We can continue to craft spoofed dhcp discover messages as mentioned above and have dhcp server keep assigning ip addresses until the whole pool is exhausted.
    So my question is how does  ip source guard in conjuction with dhcp snooping prevent this particular attack from happening? ( i.e DHCP scope exhaustion)
    I really appreciate your input.
    thanks and have a great week.

    Thanks Karthikeyan.
    First of all, we gather all the information about the  locations of legitimate dhcp servers in our network. Once we have this information, we will configure the ports used to reach them as trusted. All the ports where end users will connect will be untrusted and therefore subject to dhcp snooping .
    it means if any of user connected in that switch/vlan runs a dhcp  services like vmware for eg. Snooping will prevent the dhcp/bootp  servers connected to that port will not be able to process.
    Yes that is correct. Because dhcp snooping feature will check these ports for the messages usually sent by dhcp server such as dhcp offer, etc. If the end user is running dhcp server using virtual machine, that port should be configured as trusted if it is dertermined  that end user is running a legitimate dhcp server using vm ware.
    When we have the dhcp snooping it prevents the 1st level of hacking  itself. I don't think so it will have any impact on dhcp address  releasing.
    I am sorry. You lost me here. What is 1 level of hacking?
    Dhcp snooping checks for dhcp messages such as dhcp release, dhcp decline.on untrusted port against the dhcp bindings.
    Here is why;
    h1---------SW1-------dhcp server
                   |
                 h2
    Let say we don't have dhcp snooping in above attack and  h2 is a legitimate user has already assigned ip address 199.199.199.2 by dhcp server. Thus the dhcp server has an entry:
    199.199.199.2 mac2
    Next we connect rogue user and it gets ip address 199.199.199.1 now the dhcp server has entries:
    199.199.199. 1  mac1
    199.199.199.2   mac2
    Now using hacking tools, h1 create a fake dhcp release message  with  199.199.199.199.2   mac2
    Dhcp server upon receiving this message, will release the ip address and returns it to the pool.
    By using DHCP snooping, switch will peer inside dhcp release message and checks against the binding. If there is conflict, it will drop the message.
    IFor e.g
    If have dhcp snooping configured , then switch will have adhcp binding as:
    199.199.199.1    mac1    vlan 1   f1/1  lease time
    199.199.199.2     mac2    vlan 2    f1/2 lease time.
    If h1 tries to send fake dhcp release with ip address 199.199.199.2    mac2
    Switch will check ip address 199.199.199.2  and mac2 against the binding related to f1/1 . Sw will find a conflict and therefore drops the dhcp release packet.
    Thanks

  • Client Authentication/Authorization via ISE & AD, Posture Registry Key, and mapped to specific DHCP scope by AD membership

    Hi Team,
    I'm currently working on a configuration entailing WLC and ISE where the customer wants a single SSID,and wants his wireless clients to authenticate successfully if they pass a registry key compliance.  Additionally, they want clients to received a different IP address or get mapped to a different DHCP scope based on the Microsoft AD group they belong too. for example:
    Client authenticating with registry key and in AD group ABC that passes authentication gets IP address or subnet for AD group ABC.
    Client authenticating with registry key and in AD group XXX that passes authentication gets IP address or subnet for AD group XXX.
    Clients---->WLC------>ISE-----> MS AD ( groups ABC, XXXX, YYY )
    currently using EAP-PEAP/MSCHAPv2
    Does anyone have any idea or pointers or can refer me somewhere that I can read on how to accomplish this?  Not sure on how to do the registry compliance check nor what attributes will allow me to map the client to a DHCP Scope based on this AD group membership? 
    Thanks...

    Do check cisco how to guides you will get step by step configuration of the current requirement
     

  • Is there a way for internal DHCP Scope to release scope addresses when the wifi client has disconnected?

    DHCP scope is configured on a WLC 5508.
    I'm checking if there' a way for WLC to clear the dhcp leasing when a user is diconnected from wireless?

    Unless the client sends a DHCP Release upon disconnect, which is not mandaded in the protocol, the lease will simply remain until it has expired.  If you're concerned with running out of leases, you only have 2 options. 
    1. reduce the lease time of your dhcp scope
    2. increase the network size to accomodate more usable addresses.
    There isn't a way to force a DHCP address lease to be "cleared" from the WLC simply because the client was disconnected.

Maybe you are looking for

  • After installing 10.9.4 computer freezes  after sleep

    After I installed 10.9.4, my Imac bean to freeze after being asleep.  Sometimes I can move the mouse, but it has no effect on anything.  Most of the time I move the mouse or keyboard and I get eh color wheel of death.  Here is my info, can you help?

  • Instaling imovie 06 in computer with Mac Os 10.4.11

    I had Mac Os 10.3.9 in my computer when the hard drive died. I had Apple Care so they replaced the hard drive, BUT they installed Mac Os 10.4.11 (probably a confusion). This happened in September 2009 and I decided to try the free upgrade I got (of c

  • PreparedStatement and 'Order by'

    How can a PreparedStatement be made in this situation? String query = " Select * from myTable where id=? Order by ? ? "; PreparedStatement  ps = con.prepareStatement( query); ps.setInt(1,userID); ps.setString (2, columnName ); ps.setString (3, ascOrD

  • Output in Email

    i want to send the report's  output in user email. pls anybody help me how can do this. thanks, amit

  • Lightbox slideshow opens by itself after closing

    I have lightbox slideshows on a page and after I open them by clicking on a thmbnail and then close them they start opening again on their own without me clicking on a thumbnail.  This started happening after the latest update.  Is this a bug?