> compelling reason not to. They're more secure (for several
> reasons).
I wouldn't go so far as to say they're more secure. By default, they use a
UUID instead of a pair of integers, but you can get the same effect with
CFID and CFTOKEN by enabling the "use UUID for CFTOKEN" option in the CF
Administrator. J2EE sessions use nonpersistent cookies, as opposed to the
persistent CFID and CFTOKEN cookies, but that doesn't really increase
security in any meaningful way; it just allows you to more easily tie the
end of a session to the closing of the user's browser. If you want the same
effect with CFID and CFTOKEN, just rewrite them as nonpersistent cookies.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
