The CFID and CFTOKEN have to relate, you can change one without knowing the exact ID of the other. And if you're using UUID for CFTOKEN then "good luck" guessing a valid key.
BAT -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beattie, Barry Sent: Thursday, 13 November 2003 1:42 p.m. To: CFAussie Mailing List Subject: [cfaussie] RE: sessions won't go away but won't that help to session hijacking where you modify the CFID values? cheers barry.b -----Original Message----- From: Bruce Trevarthen [mailto:[EMAIL PROTECTED] Sent: Thursday, 13 November 2003 10:34 AM To: CFAussie Mailing List Subject: [cfaussie] RE: sessions won't go away You could just modify all links and form submissions and cflocations to include the CFID and CFTOKEN in the URL, negating the need for client cookies at all. I believe you get the choice in CFAPPLICATION as to setting cookies or not. BAT ------------- Bruce Trevarthen ZeroOn (NZ) Limited -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Menzel Sent: Thursday, 13 November 2003 1:27 p.m. To: CFAussie Mailing List Subject: [cfaussie] RE: sessions won't go away We don't use Client Management. But that would not make any difference if we did. The only keys you have a for a CF Session are CFID and CFTOKEN. And it is these that we want destroyed in the COOKIE. You just cannot guarantee that a user will press a LOGOUT button that will allow you to destroy persistent information on the server side. And you can't stop people fudging cookies either. Bottom line for us - it comes down to a security issue. Maybe it is overkill - but we know absolutely what is and isn't possible with our sessions now. Gary Menzel Web Development Manager IT Operations Brisbane -+- ABN AMRO Morgans Limited Level 29, 123 Eagle Street BRISBANE QLD 4000 PH: 07 333 44 828 FX: 07 3834 0828 ************************************************************************ **** If this communication is not intended for you and you are not an authorised recipient of this email you are prohibited by law from dealing with or relying on the email or any file attachments. This prohibition includes reading, printing, copying, re-transmitting, disseminating, storing or in any other way dealing or acting in reliance on the information. If you have received this email in error, we request you contact ABN AMRO Morgans Limited immediately by returning the email to [EMAIL PROTECTED] and destroy the original. We will refund any reasonable costs associated with notifying ABN AMRO Morgans. This email is confidential and may contain privileged client information. ABN AMRO Morgans has taken reasonable steps to ensure the accuracy and integrity of all its communications, including electronic communications, but accepts no liability for materials transmitted. Materials may also be transmitted without the knowledge of ABN AMRO Morgans. ABN AMRO Morgans Limited its directors and employees do not accept liability for the results of any actions taken or not on the basis of the information in this report. ABN AMRO Morgans Limited and its associates hold or may hold securities in the companies/trusts mentioned herein. Any recommendation is made on the basis of our research of the investment and may not suit the specific requirements of clients. Assessments of suitability to an individual's portfolio can only be made after an examination of the particular client's investments, financial circumstances and requirements. ************************************************************************ **** --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004 --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004 --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004 --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004
