The IIS servers are logging cookie contents of visitors, which is where I found out that people were arriving on the server using blank tokens. I am certain that the server is seeing blank cfid and cftoken values because I can cfdump the values and I see that they are blank. I also used the coldfusion.runtime.SessionTracker to dump all the known sessions on the server and I can see blank tokens.
Yes, I have tried different computers, different browsers, different IP addresses, and have replicated the problems in a few different ColdFusion applications programmed by different programmers. I have also had this independently verified by other programmers on staff. This is not a theoretical problem that I have only seen in my test case. This is a problem being dealt with by a very large client who brought me in to help investigate what is going on after the IT team they assembled couldn't figure out what was happening. The client considers this to be quite serious. I am surprised that ColdFusion doesn't seem to do any validation of the cfid or cftoken values. They don't even have to be numbers. -Mike Chabot On 9/26/07, JJ Cool <[EMAIL PROTECTED]> wrote: > Ok, i'm skeptical. Are you absolutely positive that the header request being > sent to the web server has the modified CFID and CFTOKEN? Have you used > webscarab or a similar proxy to capture requests and modify them? Also, does > this occur if you clear the CFID and CFTOKEN, and then hijack the session > from a different computer/ip address? > > CoolJJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289523 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
