I am having a huge problem right now, I have an application where I am using CFID/Cftoken as part of URL parameter. They are currently being maintained in the registry.
One of my clients emailed the URL (entire URL) to another individual (who does not use this application at all) in totally different location. When that user clicked on the link, he was logged in as the Client and was able to access the entire system. Huge Security Issue here. What is the underlying cause of it? If I change the session management parameters though the CF Administrator to use cookies, is there other major work (code re-write) I need to do, since the application has been developed using cfids/cftokens in the URL. OR Can I set the addtoken=no in the cflocation and prevent the tokens from being append to URL.. If yes, are there any major repercussions. Will this work. Asad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279032 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
