> Hmmm, interesting comment. > > What I assume to be my SessionID from my current Amazon.com > sessions: > > IE Session: 104-8981534-3506318 > NS6 Session: 102-5233334-0108134 > > CFTOKENs for my current sessions on my CF Server: > > IE Session: 3c154df-3b8b20b0-54b8-4cfa-8ebb-be0b2ac13e32 > NS6 Session: 3e97129-07682ed4-cd01-435a-959c-b70a06ebcb07 > > My CFToken changes completely with each new session I create. > Which seems more secure?
By default, CFTOKEN values aren't UUIDs. You have to enable that by editing the Registry. Unfortunately, this functionality isn't very well known - to the best of my knowledge, it was mentioned in one set of 4.5.something-or-other release notes, and that's it. To use UUIDs as CFTOKEN values, you have to create the registry key: HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\Clients\UuidTo ken and give it the value "1". Oddly enough, I'm covering this briefly in the "Securing ColdFusion Servers on Windows" class, which is why it was fresh on my mind, I guess. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
