> programmer. CF doesn't
> validate the CFTOKEN anymore (as of 4.5 I think, not sure)
How did CF validate the CFTOKEN? By checking that it's an 8 number digit (or
whatever it is)?
> So if you're really uptight about someone guessing a 10 digit
> random number,
> either use your own algorythm to generate the CFTOKEN or
> concat the UUID on
> to the end.
If someone connects to a ColdFusion site without sending a CFID-CFTOKEN
pair, CFAS tries to set them as cookies in the browser when it sends back
the page to the browser... right?
So if CFID-CFOKEN has already been set by CFAS, how can you change the value
of CFTOKEN and still get that browser's request to tie up with any variables
held on the server?
Thanks in advance
--
Aidan Whitehall <[EMAIL PROTECTED]>
Netshopper UK Ltd
Advanced Web Solutions & Services
http://www.netshopperuk.com/
Telephone +44 (01744) 648650
Fax +44 (01744) 648651
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
