You just have to create it. Works great. Ken
-----Original Message----- From: Douglas Brown [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 04, 2001 9:51 PM To: CF-Talk Subject: Re: CFToken and CFID not secure for ecommerce Well you were able to modify the registry in CF 4.5.1 and use the uuidToken which would be alphanumeric and identical in structure to a regular uuid. I looked in the registry for 5.0 and can no longer find the correct key. Doug ----- Original Message ----- From: "Ken Wilson" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, December 04, 2001 6:39 PM Subject: RE: CFToken and CFID not secure for ecommerce > Yeah, probably wasn't fair to use that example without explaining the > background. Are you aware of any drawbacks to using this rather than the > default method? Seems like it should be setup that way by default or at > least should be configurable via the CFAdmin given the ease of guessing the > other method. > > Ken > > > > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 04, 2001 9:27 PM > To: CF-Talk > Subject: RE: CFToken and CFID not secure for ecommerce > > > > Hmmm, interesting comment. > > > > What I assume to be my SessionID from my current Amazon.com > > sessions: > > > > IE Session: 104-8981534-3506318 > > NS6 Session: 102-5233334-0108134 > > > > CFTOKENs for my current sessions on my CF Server: > > > > IE Session: 3c154df-3b8b20b0-54b8-4cfa-8ebb-be0b2ac13e32 > > NS6 Session: 3e97129-07682ed4-cd01-435a-959c-b70a06ebcb07 > > > > My CFToken changes completely with each new session I create. > > Which seems more secure? > > By default, CFTOKEN values aren't UUIDs. You have to enable that by editing > the Registry. Unfortunately, this functionality isn't very well known - to > the best of my knowledge, it was mentioned in one set of > 4.5.something-or-other release notes, and that's it. > > To use UUIDs as CFTOKEN values, you have to create the registry key: > > HKEY_LOCAL_MACHINE\Software\Allaire\ColdFusion\CurrentVersion\Clients\UuidTo > ken > > and give it the value "1". > > Oddly enough, I'm covering this briefly in the "Securing ColdFusion Servers > on Windows" class, which is why it was fresh on my mind, I guess. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
