Yeah even if you encrypt it, if someone sniffs the connection and gets the encrypted value, they can pass that the same way they would pass the normal jsessionid. In other words, it doesn't make any difference. Maybe you could salt the id with their IP address or something but then you could run into problems with proxy servers. I'm still not clear on what the "security issue" is, unless they think a cookie of any kind is a security issue.
On 8/11/07, Phil Wilson <[EMAIL PROTECTED]> wrote: > > To be honest, as a noob, there's a bunch of things that I don't know that > I don't know. Unconcious incompetence. In this instance I saw a session id > value and thought it best to encrypt it, because perhaps there was a way > that I didn't know about that this could be exploited, especially since it > was so easy to find. That's all. > > > > What are you afraid they will do? > > > > What is the threat model you are so concerned about? > > > Jochem > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:286032 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
