If you copy and paste the url, into another browser, and it keeps your session, that's bad... this means that if they send a link to a friend, or post it somewhere, anyone clicking on it would be able to get into their session (and possibly their account, if they are logged in), and be able to steal their address, possibly cc, and/or order stuff using their cc to their own address. This is why you shouldn't pass cfid/cftoken in url parameters...
-----Original Message----- From: S. Isaac Dealey [mailto:[EMAIL PROTECTED] Sent: Thursday, August 18, 2005 10:01 AM To: CF-Talk Subject: Re: <cfselect> - MultiColumn > On Wednesday 17 August 2005 19:11, Jason Brown wrote: >> The shopping cart at www.fitzandfloyd.com is exactly what >> I am looking > Hmm. > Slow. > Vulnerable to cookie stealing/replay attacks (cut'n'paste > URL from Konq. to Firefox, keeps on ticking). That's an attack?... I don't get it ... Are you saying that someone would resubmit the shopping cart with their session from another location after sniffing the http request and make them buy extra stuff? How would they get the CC #? And why would they do that? > And what the hell does 'Fitz and floyd online -- > 877.653.2529' mean ? That's not their web address, > can't be an IP. Maybe it's a phone number, but the > format is bonkers and in any case, this is an > online shop. During checkout. That's a fairly common format for phone numbers... You don't get out much do you? s. isaac dealey 954.522.6080 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://www.fusiontap.com http://coldfusion.sys-con.com/author/4806Dealey.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:215601 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
