Yeah, probably wasn't fair to use that example without explaining the background. Are you aware of any drawbacks to using this rather than the default method? Seems like it should be setup that way by default or at least should be configurable via the CFAdmin given the ease of guessing the other method.
Ken -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 04, 2001 9:27 PM To: CF-Talk Subject: RE: CFToken and CFID not secure for ecommerce > Hmmm, interesting comment. > > What I assume to be my SessionID from my current Amazon.com > sessions: > > IE Session: 104-8981534-3506318 > NS6 Session: 102-5233334-0108134 > > CFTOKENs for my current sessions on my CF Server: > > IE Session: 3c154df-3b8b20b0-54b8-4cfa-8ebb-be0b2ac13e32 > NS6 Session: 3e97129-07682ed4-cd01-435a-959c-b70a06ebcb07 > > My CFToken changes completely with each new session I create. > Which seems more secure? By default, CFTOKEN values aren't UUIDs. You have to enable that by editing the Registry. Unfortunately, this functionality isn't very well known - to the best of my knowledge, it was mentioned in one set of 4.5.something-or-other release notes, and that's it. To use UUIDs as CFTOKEN values, you have to create the registry key: HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\Clients\UuidTo ken and give it the value "1". Oddly enough, I'm covering this briefly in the "Securing ColdFusion Servers on Windows" class, which is why it was fresh on my mind, I guess. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
