Re: Cookie setting Detection on server
by "Bryan Bateman" <batemanb(at)home.com>
|
Date: |
Tue, 24 Oct 2000 20:48:58 +0100 |
To: |
<hwg-basics-digest(at)mail.hwg.org>, "Langum, Michael J." <MJLANGUM(at)opm.gov> |
References: |
opm |
|
todo: View
Thread,
Original
|
|
Operating Environment
Allaire Product
ClusterCATS
ColdFusion
Browser
N/A
Server
N/A
Hardware Platform
N/A
Operating System
N/A
Database
N/A
How to set a 'domain cookie' with ColdFusion 4.0.x
--------------------------------------------------------------------------
Article 13131
How to set your cookies to use the domain name rather than the host
and domain names, i.e. allaire.com rather than www.allaire.com
In you application.cfm file directly after the tag add the following
code (use your domain name)
<cfapplication name="test_application" sessionmanagement="Yes">
<cfcookie name="cfid" value="#cfid#" domain=".waible.com">
<cfcookie name="cftoken" value="#cftoken#" domain=".waible.com">
Using this technique the cookie will be written using the just the
domain name. This technique is useful when using ColdFusion in a clustered
environment.
NOTE: When running in a clustered environment with host names
www1.waible.com and www2.waible.com ColdFusion currently sets the full host
and domain name as a cookie. However if you do not have stickey sessions
(the ability to hold the user session to one box) set. You will end up with
two cookies one for www1.waible.com and one for www2.waible.com. This will
cause problems, the user will no longer be able to access the session from
www1.waible.com when re-directed to www2.waible.com. To avoid these
scenarios please use the following code above. This will set the host name
as a domain cookie and the session will be available to both www1.waible.com
and www2.waible.com. In version 4.5 of ColdFusion you will have this option
available to you within the cfapplication as setdomaincookies="yes/no".
I always thought cold fusion was a server sided scripting. I believe that
the above article has all the references needed to search for.
If you kill the cookies how will you do session management/tracking????????
----- Original Message -----
From: "Langum, Michael J." <MJLANGUM(at)opm.gov>
To: <hwg-basics-digest(at)mail.hwg.org>
Sent: Tuesday, October 24, 2000 9:06 PM
Subject: Cookie setting Detection on server
> I develop for a federal web site. As you may know, there is a long
standing
> OMB policy that prohibits setting persistent cookies (except in a few
> limited cases).
>
> We have just discovered that contractors have placed cookie creating code
in
> a few of our pages. We learned this because an outside group tested our
> site, found the cookies, and published the result in the paper. Needless
to
> say, our director was VERY UPSET!
>
> Since we have over 31,000 pages on our site, I don't want to manually
visit
> every page and see if a cookie is set.
>
> I have done global text searches for the work "cookie," and
> "<CFAPPLICATION." These searches only found the one case that was
reported
> in the paper. However, I want to make sure that I'm not missing anything.
> Does anyone know of a tool that will detect any cookie setting files on
our
> servers (rather than at the client)?
>
> Thanks in advance,
> -- Mike
> Web Development Team
> U.S. Office of Personnel Management
>
>
> -------------------------------
> -- Even though this E-Mail has been scanned and found clean of
> -- known viruses, OPM can not guarantee this message is virus free.
> -------------------------------
> -- This message was automatically generated.
> -------------------------------
HTML: hwg-basics mailing list archives,
maintained by Webmasters @ IWA