Yeah, you're pretty much dead on there as far as I know. If you use the UUID token value and set the non-persistent cookies then the way the application behaves is exactly the same from what I've seen. It's just a little easier out of the box with j2ee session variables because you don't have to mess with that other stuff.
I do control my own server so that puts me at an advantage I guess. :-)
On 5/27/05, Ben Rogers <[EMAIL PROTECTED]> wrote:
> I understand what you mean. Granted you could have converted the site to
> use session variables but the reasons weren't strong enough. However, for
> an e-commerce Web site, I think session variables is the way to go because
> they add that layer of security especially if youenable j2ee session
> variables.
This is an e-commerce app. However, we can't use J2EE sessions because the
site in question is on a shared server. We control the shared server, but
there are lots of other apps on there, many by third part developers. Since,
ColdFusion developers can change the session timeout programmatically, they
can set it to something that puts it out of sync with the J2EE session,
causing the dreaded "session expired" error.
Out of curiosity, what security measures are possible with J2EE sessions
that can't be accomplished with ColdFusion sessions? It seems to me that if
you enable UUID for the cftoken and use a non-persistent cookie to track
whether the user closed the browser, the two are pretty equivalent security
wise. Am I missing something?
Ben Rogers
http://www.c4.net
v.508.240.0051
f.508.240.0057
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting ( www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
--
Dave Cordes
www.apoktechnology.com
636-412-1086 (Office)
636-578-4235 (Mobile) ----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
