Friday, September 12, 2008

Token Broken...

We ran into an issue today with cflocation. In our system we pass users off to an ATS where they can apply to a job that they found from us. It was working great for quite some time on all sites but two. This came to our attention today. After looking at our system we boiled it down to a difference between two urls:

URL from our admin – this url worked if copied and hit straight from the browser
http://www.xxxxxxxxxx.com/index.cfm?xxxxxx=somecircuit.someFuseAction&RID=4920&CurrentPage=6

Resulting URL after going through our system:
http://www.xxxxxxxxxx.com/index.cfm?xxxxxx=somecircuit.someFuseAction&RID=4920&CurrentPage=6&sid=35&CFID=1328925&CFTOKEN=76318564&jsessionid=8c30c6b3e5ea1acfccbb5a53384541664b4b

As you can see, the only difference is the extra url vars of cfid,cftoken, and jsessionid. Sid was a valid addition prior to the cflocation tag. So how would this break their ATS. It doesn't take long looking at it before you realize that the ATS is powered by CF and the extra information is really only meant for our system. Their system gets it and they have no such session as identified by the extra tokens. So, we have to stop sending these variables over.

I tracked this down to the point of redirect in this cflocation tag:
<cflocation url="#obj.URL#">

change to

<cflocation url="#obj.URL#" addtoken="false" >
This was a simple fix by just adding addToken="false". This will keep the cfid, cftoken, and jsessionid from being appended to the url and thus not interfere with the hand off to an outside cf system. This isn't rocket science. This is just a friendly reminder to mind your tokens.

Blessings....

No comments: