and there lies the problem... many people will believe that this is a secure method of preventing access to something, all it does is make it more difficult, it certainly doesn't make it secure. I'm not going to elaborate on how this can be bypassed as several previous comments have already alluded to this possibility already - capturing cookies and ucing cfhttp etc. Basically any ajax call should be protected like any other http call, ajax is simply another type of http call its not magic. If your script is using sessions (hence cookies) and you detect something odd going on I would follow the philosophy of being guilty until proven innocent ie if you suspect something automatically log that user/session out (ban them) and ask questions later. It goes without saying that you need to log/record all http calls that appear outside a strict set of rules for that cfc/function.
>here's another possibilty: If you're using CF9 and the built in AJAX >functionality you can use the "verifyClient" attribute of CFFUNCTION >to attach a security token to each request. CF will look for the >token, if it doesn't see it, the request will be denied > > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336435 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm