Mark Leder wrote: >Hi all, >I want to prevent session swapping in an app. >When creating a new session structure, is it a good idea to name a key/value >pair as a SESSION.URLToken, and then when passing the URLtoken between pages >(as appended to the URL), do a check to match the physical URLtoken = >SESSION.URLtoken? Or is this taken care of in the background? > > > The best way I found was to store the current IP/Useragent in the session variables and check them with every request. If they didn't match the current users ip/ua just throw them out.
Jesse ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
