Well you were able to modify the registry in CF 4.5.1 and use the uuidToken which would be alphanumeric and identical in structure to a regular uuid. I looked in the registry for 5.0 and can no longer find the correct key.
Doug ----- Original Message ----- From: "Ken Wilson" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, December 04, 2001 6:39 PM Subject: RE: CFToken and CFID not secure for ecommerce > Yeah, probably wasn't fair to use that example without explaining the > background. Are you aware of any drawbacks to using this rather than the > default method? Seems like it should be setup that way by default or at > least should be configurable via the CFAdmin given the ease of guessing the > other method. > > Ken > > > > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 04, 2001 9:27 PM > To: CF-Talk > Subject: RE: CFToken and CFID not secure for ecommerce > > > > Hmmm, interesting comment. > > > > What I assume to be my SessionID from my current Amazon.com > > sessions: > > > > IE Session: 104-8981534-3506318 > > NS6 Session: 102-5233334-0108134 > > > > CFTOKENs for my current sessions on my CF Server: > > > > IE Session: 3c154df-3b8b20b0-54b8-4cfa-8ebb-be0b2ac13e32 > > NS6 Session: 3e97129-07682ed4-cd01-435a-959c-b70a06ebcb07 > > > > My CFToken changes completely with each new session I create. > > Which seems more secure? > > By default, CFTOKEN values aren't UUIDs. You have to enable that by editing > the Registry. Unfortunately, this functionality isn't very well known - to > the best of my knowledge, it was mentioned in one set of > 4.5.something-or-other release notes, and that's it. > > To use UUIDs as CFTOKEN values, you have to create the registry key: > > HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\Clients\UuidTo > ken > > and give it the value "1". > > Oddly enough, I'm covering this briefly in the "Securing ColdFusion Servers > on Windows" class, which is why it was fresh on my mind, I guess. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
