> Would passing the CFIF & CFTOKEN in the URL an acceptable > practice? For security reasons, I still want to save a > variable on the server to prevent URL hacking.
URL parameters are just a bit more visible than form and cookie values. They are equally vulnerable to manipulation. Passing a session token in the URL is not intrinsically less safe than passing it in a cookie. The only problem with passing session tokens in URLs is that those URLs might inadvertently be shared - for example, one end-user might send a link to another, and if the session token is embedded in the URL, the second person will be able to access the page with the session information of the first person. That's not "URL hacking", though. If you're concerned about people manipulating session tokens, for example to identify another active session through brute force, I would recommend that you enable the "J2EE Session Management" option within the CF Administrator. This will use a JSESSIONID value instead of CFID and CFTOKEN. The JSESSIONID value is essentially a UUID, and is much harder to break than two large integer values (which is all CFID and CFTOKEN are). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297384 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
