Well, to me, the main issue isn't what CF does or doesn't do with cookies
... it's user perception. This is one more feather in the cap of the
anti-cookie maniacs. What until the media reports this -- "Cookies Steal
User Identities ... film at 11" It could get ugly.
My latest programming methodolgy has relied on cookies and my attitude has
been anti-cookie fanatics be damned. If you disable cookies you can't use
my site!!! This whole new security hole undercuts my primary argument:
There is nothing wrong with cookies. Well, now, we find out, there is. I
don't know if that's going to change much of what I'm doing because the
actual value of exploiting this hack is rather slim, it seems to me.
I like session vars. I want to use session vars (not to mention client
vars). I shouldn't need to jump through the hoops of passing session vars
through URLs and hidden input fields (sort of defeats the purpose, doesn't
it?). For now, I'm going to keep using cookies as I've been using them.
However ... friggin' frackin' Microsoft!!!!!!!!!!!
H.
=========================
Howard Owens
Web Producer
InsideVC.com
mailto:[EMAIL PROTECTED]
=========================
> -----Original Message-----
> From: Sharon DiOrio [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, May 16, 2000 12:56 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: "You have nice cookies .. mind if I have a look?"
>
> Because the web is "stateless", each http request is independent of the
> previous ones. So the web server (any web server, not just CF) needs a
> way
> to establish that multiple http requests belong to the same user.
> Therefore, session state needs to be maintained either by setting cookies
> or by passing a unique ID in URL variables.
>
> In Cold Fusion SESSION management, the temporary cookie only contains CFID
> and CFToken, values that mean nothing except to the Cold Fusion server
> that
> set them, having them stolen is less of a security risk than setting
> discrete cookies with user specific information.
>
> Sharon
>
> At 12:44 PM 5/16/2000 -0700, paul smith wrote:
> >Nope. You only need session vars
> >to maintain a session state.
> >You need to set cookies on your
> >visitor's 'puter if you want them
> >to be able to login automagically.
> >
> >best, paul
> >
> >At 03:04 PM 5/16/00 -0400, you wrote:
> >>I thought cookies had to be enabled for session scoping to work?
> >
> >-------------------------------------------------------------------------
> --
> ---
> >Archives: http://www.eGroups.com/list/cf-talk
> >To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> >
>
> --------------------------------------------------------------------------
> ----
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
