Axel asked a question about Vista Gadgets that I thought I would discuss here.
Sessions with MS Vista. I'm building a VISTA gadget calling an external CFM page using flash forms. It looks really cool, in particular in a flyout window. Now when I need to log into the app, I realized that the VISTA Gadget space seem not to have any session handler. Any idea?
The first thing you need to do is uninstall Vista. (No, I jest.) So with knowing nothing about Vista Gadgets (frankly widgets and gadgets bore me) I'd have to assume that they are acting like a cookie-less browser.
ColdFusion sessions require cookies in order to track your browser and associate it with a session... normally. If your browser doesn't support cookies, you have two ways you can handle it.
All sessions come with a few default variables. One of them is URLToken. This is a string of the form cfid=XXX&cftoken=XXX (or cfid=xxx&cftoken=xxx&jsessionid=xxx). As you can see, it is in a format appropriate for query strings. This allows you to append it to the end of a link:
<a href="dharma.cfm?#session.urltoken#">Secret Dharma Files</a>
Another option is urlSessionFormat(). You can wrap your links with this function and ColdFusion will determine if it needs to add the session information or not. Here is an example of that:
<a href="#urlSessionFormat('dharma.cfm?')#">Secret Dharma Files</a>
The important thing to note though is that all links have to use one of these methods. That means both "simple" links like I used above as well as form tags. It would also include AJAX links if the back end needs session information in order to return the correct data.
Archived Comments
Ray, in your first example I think you mean session.URLToken...
Fixed. Thank you!
Don't forget that allowing to set a session id through a url can make it a lot easier to steal someone's session..
Nod - one reason to use a UUID for a token or jsessions.
And to be fair - I would not say it makes it a lot easier. A hacker can just as easily change his cookie as well.
The difference is that the hacker can specify a session id in the url, link the user to that page (or through a frame or other method). At that point the hacker will know the session id.. and can just use it himself..
So I'm not talking about brute-forcing.. The evil guy can specify the session id the user will use..
I don't quite get you. So I make a URL. I convince you to link to it. How do I then know your session id? You talking about the refererrer variable? That would only work if I had write access to the server so I could add the offset link.
Ok, say I go to your site and I get linked to ..
http://example.com?cfid=123...
Now, if I can trick someone to go www.evil.com, which has a link, or image tag looking like:
http://example.com?cfid=123...
The session gets attached.. (usually those methods provide a way to specify a session id both through the cookie and the url)
The next time the user logs in on that site.. the user will have the session tokens I specified before on my site.. dr. evil goes to the site and will be sharing the session with the unsuspecting user..
A quick google showed up this paper: http://www.technicalinfo.ne...
Could be a good read, in case I'm not really being clear..
Right -I guess I'm assuming people _know_ this already, but good point.
urlSessionFormat() seems to work well. But, it sure would be nice not to have to use this function all over the place in our code on every single link. Might there be a way to add something to onrequeststart that wraps this function around every link or something like that? Maybe there should be a new feature in cfadmin to do something like this with the click of a checkbox?
Perhaps. I think DotNet has a solution for that. It would add overhead though as CF would have to do some parsing on each link, and it would have no know what are external links versus internal links. You can always make it a udf so it's a bit short:
<a href="#link('products.cfm?id=4')#">