> Would passing the CFIF & CFTOKEN in the URL an acceptable practice? For > security reasons, I still want to save a variable on the server to prevent > URL hacking.
If you can't rely on cookies, then the only way to maintain a session is passing the cfid and cftoken (or jsessionid if you are using jsessions) in the url. The server needs some kind of way to determine who's sending the request in order to associate the client with the proper session on the server. Even if you are using cookies, someone could change their cookie values and try to hack a session that way. I'm not a security expert by a long shot, hopefully someone else may chime in. -- Josh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297209 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
