On 2/15/07, Matt Robertson <[EMAIL PROTECTED]> wrote: > On 2/15/07, Dinner <[EMAIL PROTECTED]> wrote: > > Lot of work for not much difference. Might as well set the session > > timeout really really low or something, right? > > If I were trying to find sanity in the desired approach, I'd first > have to accept the fact that you *cannot* have cookies. In an > environment where site customers are all corporate, and an entire > building's worth of buyers could all be sharing the same cookie thanks > to some fascist security scheme, the use of cookies can be > catastrophic. Been there. So I understand the requirement although I > pity to poor guy who has to comply with it.
So we've got to keep it going from request to request, via form or url params-- doable, but needs strict "form" to accomplish well (and length may be an issue-- thus, the custom token). Or a smart "render-er", I guess. Pipe normal code thru, out comes tokened code? Hrm... pretty damn hard to make [well =]. > Given that, a short session timeout would not solve the problem. If I > was stuck passing url tokens of some kind, a continuously morphing one > sounds like a step up from a static one; at least on the surface. Well, it would achieve the same thing as having a really low session time out-- perhaps not even that much, because the session would time out after a set time, vs. the "manual" session, that presumably just hangs out until the next token comes in (course, you could go that extra mile, and add timeouts, etc.. Might as well do it right, right! ;). The reason you keep it morphing is to prevent someone from stealing it from someplace where it's exposed (hopefully not google) and using it to "impersonate" the "real" session. A low session timeout would accomplish the same thing, sorta. > 'course, I haven't seen "the problem" since a health care industry job > I did like six years ago, so for all I know firewalls are a hell of a > lot smarter now and this client is living in the past and solving a > problem that doesn't exist anymore. Heh. That's a good point. Worthy of talking over w/ d client, fer sure. > Glad its not my job and all I have to do is idly speculate without > really thinking it thru :-) You know what they say about idle hands... ;-) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269973 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
