I did further testing and verified that using UUIDs for the cftokens does not address the security vulnerability. If you specify that you want to use UUIDs, CF Server doesn't seem to check that the token is a valid UUID.
On the other hand, using jsessions behaves as expected. If you clear out the jsessionid, you get assigned a new one on the next page hit. -Mike Chabot On 9/25/07, Mike Chabot <[EMAIL PROTECTED]> wrote: > Thanks for that script Jochem. I think the behavior using jsessionid > would be different. The site having the issue is using cfid/cftoken. > > I have reproduced this problem in MSIE7 and Firefox 2. I don't think > it is related to any browser issue since it is the CF server that is > reporting the empty cfid and cftoken. > > I tried using your script and reproduced the problem. > > -Mike Chabot > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289481 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
