Ah that's good to know, I'm running SSL. I'm guessing the J2EE sessions are pretty tidy them. I'm running ColdFusion in its standalone mode, does that still use J2EE sessions?
Are there any specific application settings I should be using in my application.cfc to help keep this all buttoned down, i've never really understood the loginstorage settings and the setdomaincookie variables. Thanks, Rob -----Original Message----- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: 14 May 2007 16:02 To: CF-Talk Subject: Re: Session Security Without XSS, on a server using J2EE sessions over SSL, it's really unlikely that anyone will succeed. On 5/14/07, Claude Schneegans <[EMAIL PROTECTED]> wrote: > >>Any thoughts on where to get started with this stuff? > > Have you an example of how some one could hijack a session under CF? > > -- > _______________________________________ > REUSE CODE! Use custom tags; > See http://www.contentbox.com/claude/customtags/tagstore.cfm > (Please send any spam to this address: [EMAIL PROTECTED]) > Thanks. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:278046 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
