I've not got an example of how a session might be hijacked specifically in CF, but I've seen examples from PHP and ASP, where the client has their cookie data and session ID stolen using a packet sniffer, this session data is then applied to the attackers browser and then as far as the server is concerned the user and the attacker are the same person.
I've read a few concepts this morning which I've been implementing into my security model, firstly keeping sessions as short as possible without effecting the users experience, this way the window in which a session can be hijacked is minimised. I'm now working on the concept of attaching a remote address and other CGI variables to a session, and using this as well as the session ID to identify the user, then if the users IP switches or user agent for instance, during a session, there is a possibility the session has been duplicated in a second location. These are just ideas I'm playing with at the moment, trying to make them as easy to implement as possible. Thanks, Rob -----Original Message----- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: 14 May 2007 15:47 To: CF-Talk Subject: Re: Session Security >>Any thoughts on where to get started with this stuff? Have you an example of how some one could hijack a session under CF? -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:278039 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
