> If you copy and paste the url, into another browser, and > it keeps your > session, that's bad... this means that if they send a link > to a friend, or > post it somewhere, anyone clicking on it would be able to > get into their > session (and possibly their account, if they are logged > in), and be able to > steal their address, possibly cc, and/or order stuff using > their cc to their > own address. This is why you shouldn't pass cfid/cftoken > in url > parameters...
Well that's my preference yes... however... "steal their address / cc # etc, or buy stuff for themselves with someone else's cc #" ... if I remember correctly not gonna happen with the F&F app... I could be wrong, but it was my impression that the shopping cart didn't work that way -- you add what you want, go to the cart and it requests your info (or possibly your un/password) runs the transaction and throws away your CC #. Simply having the cfid/cftoken in the url, while I don't like it isn't necessarily a security risk. So that's why I don't understand that being described as "vulnerable to cookie stealing/replay attacks"... I generally only refer to something as being vulnerable to an "attack" if it allows someone to harm someone else in some way -- if it doesn't do that, then no amount of cfid/cftoken pairs in the url could be considered a "vulnerability". Granted, it's been a while since I worked on the F&F app and offhand, I can't say with certainty that it's not vulnerable... I just know that the cfid/cftoken in the url isn't proof of that. s. isaac dealey 954.522.6080 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://www.fusiontap.com http://coldfusion.sys-con.com/author/4806Dealey.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:215622 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
