On Thursday 24 May 2007, Asad Khan wrote: > what will this do by setting url.cfid=client.cfid. If I do this and a
url.cfid= *cookie*.cfid would be better. > client still emails the entire link with these id/token in the URL, will I > still have the same issue... No, the ones in the actual URL in the web browser will be over writeen. > maliciously change the id or token value by one digit (i know there are so > many permutations between the 2, but it can be happen. Will this approach > you mentioned eliminate any of those security issues). Unless they are very lucky, they won't have a valid combination and it'll error. > Where do i need to check if cookies have been disabled.. On their web browser :-) Not many people disable them these days. There are detection examples floating around, or you can write a page that uses cfcookie to set one, then forwards to a second page that (trys to) read them back. > eliminate the tokens from the URL string.. Yes. -- Tom Chiverton Helping to interactively market internet initiatives on: http://thefalken.livejournal.com **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279071 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
