> I understand what you mean. Granted you could have converted the site to > use session variables but the reasons weren't strong enough. However, for > an e-commerce Web site, I think session variables is the way to go because
> they add that layer of security especially if you�enable j2ee session > variables. � This is an e-commerce app. However, we can't use J2EE sessions because the site in question is on a shared server. We control the shared server, but there are lots of other apps on there, many by third part developers. Since, ColdFusion developers can change the session timeout programmatically, they can set it to something that puts it out of sync with the J2EE session, causing the dreaded "session expired" error. Out of curiosity, what security measures are possible with J2EE sessions that can't be accomplished with ColdFusion sessions? It seems to me that if you enable UUID for the cftoken and use a non-persistent cookie to track whether the user closed the browser, the two are pretty equivalent security wise. Am I missing something? Ben Rogers http://www.c4.net v.508.240.0051 f.508.240.0057 ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
