That's always been my understanding of cfid and cftoken. (I had never tried the empty strings though).
That is why it is dangerous when someone goes copying and pasting a url into an E-mail. Then all of a sudden, you are logged in as them. ~Brad -----Original Message----- From: Mike Chabot [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 25, 2007 3:21 PM To: CF-Talk Subject: Re: Session Hijacking Curiosity I reproduced the behavior using made up numbers instead of empty strings. I modified the cookie to be cfid=1234 and the cftoken = 1234. I was able to continue using the site using these modified values without seeing any session errors. So the behavior is not limited to empty strings. -Mike Chabot ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289451 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
