Hmmm, interesting comment. What I assume to be my SessionID from my current Amazon.com sessions:
IE Session: 104-8981534-3506318 NS6 Session: 102-5233334-0108134 CFTOKENs for my current sessions on my CF Server: IE Session: 3c154df-3b8b20b0-54b8-4cfa-8ebb-be0b2ac13e32 NS6 Session: 3e97129-07682ed4-cd01-435a-959c-b70a06ebcb07 My CFToken changes completely with each new session I create. Which seems more secure? Ken -----Original Message----- From: Mike Randolph [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 04, 2001 7:33 PM To: CF-Talk Subject: CFToken and CFID not secure for ecommerce Hello All, CFTOKEN AND CFID according to Macromedia's own admission and our own internal testing is not secure enought for a web applications where credit card data and money is involved. Goto a site like Amazon and notice the session ID they use are not a wimpy numeric string, they use a long alpha-numeric string. CFToken and CFID is so easy to break it is amazing. First of all most of your administrators will be the lower numbered CFID's due to the nature of how they are handed out, that leaves only the cftoken for security purposes and it being a numeric value only is less than secure. Don't leave yourself open to hacking avoid relying on CFToken and CFID to track secure sessions. Cheers, Mike Randolph AbleCommerce, CEO P.S. We respect our clients data and have never relyed on CFTOKEN and CFID, our testing showed them to be way to insecure. Thats the AbleCommerce difference...We think, we test, we don't just copy, hack, sell and hope. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
