> I'd back up Martin's theory of it being search engines > indexing the site with the CFID/CFTOKEN in the URL. If two > people follow that link within the session time out they will > share the session. > > I now only use CFID/CFTOKEN in the URL from behind a log in > page, or after someone has added an item to the basket etc > ... all things a search engine can't do. > > It's always occurred to me that this is a massive security > hole in the way that ColdFusion manages sessions. Having said > that, most application servers use a similar method of > maintaining session when cookies are not enabled.
This is a problem with HTTP, not with CF specifically. HTTP is a stateless protocol, so if you want to have your application server keep track of a specific user you'll have to append some sort of identifier to each HTTP request that client makes. If you want to prevent search engines from indexing specific content, you might want to specify that within your robots.txt file. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:191856 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
