Do I need to delete the cookie in Coldfusion when I change other session variables -


i have problem session variables in app. make short, coldfusion application inside dot net application using iframe. main application using dot net user login dot net app. once user login can access coldfusion app. through link. there no login coldfusion app. (boss not want our users login twice!).

to differentiate each user, dot net app pass 2 url variables, url.userid , urlusergroup coldfusion app. created session variables based on these url variables, such session.userid , session.usergroup, differentiate each user , roles when roaming in coldfusion app. how create sessions: in application.cfc (coldfusion 10) onsessionstart have:

 <cfset session.userid= url.userid>  <cfset session.usergroup= url.usergroup>

if login user a, 2 sessions created when log out (through dot net app), login again user b, set of sessions created user b session variables belong user still exist. mess everything.

to maintain 1 set of sessions running @ time, following in index.cfm:

   <cfif structkeyexists(session,"userid") >       <cfif session.usergroup neq url.usergroup , session.userid neq url.userid>          <cfset sessioninvalidate() />          <cfset session.userid = url.userid>          <cfset session.usergroup = url.usergroup>       </cfif>    </cfif

this work, can login , log out different users different roles , access 1 thing notice still stay same cookie. when cfdump var="#cookie#" see same jsessionid=c2aee274a09334eb98ccb2d332d6cada.cfusion

my question is: should cookie? should make expired , rebuilt cookie every new user did sessions? how delete cookie , how rebuild 1 user?

not quite answer looking for, seems me have bigger problem though - of url params numeric or 'plain text'? if user can see url params being passed via iframe, change userid and/or usergroup presumably give them access things shouldn't.

for example if iframe calls: http://mycfapp.com/?userid=123&usergroup=2

then tampering params potentially login different user: http://mycfapp.com/?userid=1&usergroup=2

you need think securing these. .net application call cf server-side authenticate , token can pass in iframe. way can provide time-sensitive token without user ever seeing ids being passed simple url params.

you have .net application call cf when user logs out invalidate token.


Comments

Post a Comment

Popular posts from this blog

c++ - Difference between pre and post decrement in recursive function argument -

i have following sample code used pre-decrement void function(int c) { if(c == 0) { return; } else { cout << "dp" << c << endl; function(--c); cout << c << endl; return; } } this function give output input 4 : dp3 dp2 dp1 dp0 0 1 2 3 but when use post decrement void function(int c) { if(c == 0) { return; } else { cout << "dp" << c << endl; function(c--); cout << c << endl; return; } } output goes in infinite loop dp4 can explain me in detail why happens ? this happens because function(c--) called same value of c , when finishes c decremented. recursively called, hence called same value no chance of return , hit stack overflow error. assume this, int x = 1, y = 0; y = x++ result y == 1 , x == 2. if y = ++x , bot x , y 2.
Read more

php - Nothing but 'run(); ' when browsing to my local project, how do I fix this? -

i added new project. made mistake in projectname.conf file in sites-available apache2, led me reinstalling apache2. after reinstalling , re-enabling projects on every page of every project .. <body> run(); </body> .. i've run composer update, restarted service, restarted pc, checked config files, tried disabling new project. there nothing in error log, , access.log: 127.0.0.1 - - [15/may/2015:01:40:47 +0200] "get / http/1.1" 304 181 "-" "mozilla/5.0 (x11; ubuntu; linux x86_64; rv:38.0) gecko/20100101 firefox/38.0" maybe i'm forgetting apache2 reinstall? don't think did different last time installed it. looks haven't setup php correctly. take @ this great guide , maybe you're forgetting link php config apache2.
Read more

php - How can I echo out this array? -

i don't know how go grabbing data in variable , put foreach loop. class tree{ private $info = array( array('name'=>'jim','state'=>'nu','company'=>'nu','phone'=>array('cell'=>'5615111111','office'=>'5611111111'),'email'=>array('primary'=>'exs@example.com','ex@there.com')), array('name'=>'joe smith','city'=>'phoenix','phone'=>'4805551111','email'=>'jsmith@some_email.com'), array('name'=>'john doe','city'=>'chandler','company'=>'doe co.','email'=>array('jdoe@gmail.com','personal'=>'email@email.com'),'phone'=>'6025550002') ); } if you're inside of class, can access private variable using $this->variablename . example, i
Read more