Hi Chris,
>Check the help on urlSessionFormat, I think there's a switch to turn off the token append.
You mean to switch off CFID/CFTOKEN only? Otherwise, I don't see any
utility in turning of the entire token in urlSession format...
BTW, I don't believe there is a (documented) switch in
urlSessionFormat
(http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/funca115.htm),
but let me know if you find otherwise.
Thanks,
Jamie
On Wed, 13 Oct 2004 10:46:56 -0400, in cf-talk you wrote:
>CFID/CFTOKEN are still used to identify client variables stored in the database.
>
>Check the help on urlSessionFormat, I think there's a switch to turn off the token append.
>
>best,
>Chris Norloff
>
>
>---------- Original Message ----------------------------------
>From: Jamie Jackson <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>Date: Tue, 12 Oct 2004 17:10:33 -0400
>
>>I've got a couple questions about session.urlToken under J2EE
>>sessions:
>>
>>When J2EE sessions are enabled, why does session.urlToken bother with
>>CFID/CFTOKEN anymore. The fact that both are there confuses me. I
>>wonder which takes precedence? Do I lose the extra security that the
>>uniqueness of jsessionID affords (i.e. can someone still hack the
>>CFID/CFTOKEN and hijack a session)?
>>
>>Also, I'm using urlSessionFormat, and am getting the urltoken
>>appended, even with cookies turned on. Any suggestions as to how to
>>troubleshoot this?
>>
>>Thanks,
>>Jamie
>>
>>
>
>
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
[Donations and Support]
- J2EE Sessions / session.urlToken Jamie Jackson
- Re: J2EE Sessions / session.urlToken Chris Norloff
- Jamie Jackson