| From: Matt Robertson [mailto:[EMAIL PROTECTED] | By exposing the cfid and cftoken you are announcing to the world what | your session identifier is. In turn you are giving someone the | opportunity to more easily manipulate it. Sure someone can accept a | cookie, read the value off the hard drive and then have the same info | (I suppose you could make the read more difficult by not writing a | cookie to disk and only using a session cookie) but by passing it via | the url you are making the job as easy as possible for the attacker.
Another possible security issue is if people e-mail a link from the URL bar to each other, that link will contain the cfid/cftoken then... It doesn't look very clean, and if someone clicks the link before the session has expired, then they are continuing someone elses session. I have a feeling that the client is meaning something else - like no username/password in the cookie or something. Having multiple users sharing the same IP has nothing to do with cookies btw. /Hugo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269983 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
