> Is CFID and CFTOKEN vulnerable to this if they are stored as > COOKIES and you are using a DB to store client variables? > > Since I assume you could easily modify the CFID and CFTOKEN > in your cookie file that browser maintains.
To be honest, I don't really know what the exact SQL is that's sent by CF to the database in this case. You might want to trace SQL queries to find out. In any case, the way I've avoided worrying about this in the past is to simply limit the rights of the CF user in the database so that it can't do anything but touch those two tables. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
