First off, passing session data on the URL should NEVER be done in my opinion. Especially the old integer, guessable, repeatable CFID and CFTOKEN. You are just open the door to session highjacking and cross site scripting attacks. Plus if someone bookmarks a URL with that session data they will "steal" that sessionID if it is in use by someone else when they come back to the site. It can happen. I've seen it happen.
You should enable J2EE Session variables. This will set a session cookie that will expire at the end of the session. If you do not want CFID and CFTOKEN cookies at all then you should disable clientmanagement and clientcookies in you application.cfm/cfc file. Regards, Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com [email protected] www.trunkful.com On Feb 8, 2013, at 4:28 PM, Leigh <[email protected]> wrote: > >> Can you ask why on Earth client say "no cookies?" That's sort of crazy. > > I do not think they are saying "no cookies", rather that they be optional > instead of mandatory. > > -Leigh > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354432 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
