I use dynamic cookie to prevent session hijacking. Dynamic on both name and value.
Here's the idea: 1. For each session, the system will then create a random cookie name and a random value. 2. Each request, the system should check the existence of cookie generated in point 1. So if someone hack other's session by guessing, cfid and cftoken (which is easy cause they're both integer - cf5). They can't (or considerably hard) to guess the cookie name and value. For even greater security, you can update the cookie name/value each n minutes. HTH, Rizal At 09:59 PM 6/25/2003, you wrote: >Hi, > >How do we prevent our site showing critical information to hacker if >someone hijacks the session and start using site of some other (admin's) >session and admin's current session gets disconnected. I've been told >that it has happened in past. My coding is totally irrelevant of any >such hack and my security is simply session based so everone is welcome >provided h/she is authorised and session is defined. What is recommended >way of preventing such act in your code? > >Any suggetions > >Thanks >Shaz > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
