Depending on how secure you want the system to be. Anyone who has any web knowledge and is trying to steal sessions is also clever enough to find hidden form fields even if you don't show the url. If I remember from your earlier email you were looking at an intranet, can't users be forced to use cookies which are at least machine specific.
Allan ----- Original Message ----- From: Robertson-Ravo, Neil (REC) To: '[EMAIL PROTECTED]' Sent: Monday, October 14, 2002 10:57 AM Subject: RE: [ cf-dev ] addtoken="No" I agree Matt, rom what I have heard and from what I know.... passing the pair is a big no no, its a real security risk. You should never (unless forced) pass them via the URL.....hidden form fields maybe, but not the URL... -----Original Message----- From: Matt Horn [mailto:[EMAIL PROTECTED]] Sent: 14 October 2002 09:49 To: [EMAIL PROTECTED] Subject: RE: [ cf-dev ] addtoken="No" Nik are you saying that all CFapps MUST have cfid and CFtoken inthe URL to ensure no session hijacking? I disagree AFAIK if you lock properly your sessions should never get muddled is there some documentation to support your claim? *interested* Matt At 09:43 14/10/02 +0100, you wrote: >If you are using Client variables (or even session vars) not passing the >URLTOKEN will sometimes 'cause sessions to go nuts. > >You will always need to pass URLTOKEN if you want to guarantee that your >sessions will not get hijacked! > >If you set addtoken="no" you will then need to explicitly pass the >URLTOKEN in the string. > >Cheers > >Niklas > > > > > -----Original Message----- > > From: Robertson-Ravo, Neil (REC) > > [mailto:[EMAIL PROTECTED]] > > Sent: Friday, October 11, 2002 9:32 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ cf-dev ] addtoken="No" > > > > > > Ah, I always set it to no. > > > > -----Original Message----- > > From: Giles Roadnight [mailto:[EMAIL PROTECTED]] > > Sent: 11 October 2002 09:32 > > To: [EMAIL PROTECTED] > > Subject: Re: [ cf-dev ] addtoken="No" > > > > > > I thought that the default was to add a token. If I leave the > > attribute off > > I always get the token added. > > ----- Original Message ----- > > From: "Robertson-Ravo, Neil (REC)" > > <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, October 11, 2002 9:25 AM > > Subject: [ cf-dev ] addtoken="No" > > > > > > > Anyone had any problems where not adding addtoken="no" to > > the cflocation > > tag > > > will cause it to add the token. > > > > > > CF4.5x > > > > > > Thanks > > > > > > N > > > > > > -- > > > ** Archive: > > http://www.mail-archive.com/dev%> 40lists.cfdeveloper.co.uk/ > > > > > > > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > For human help, e-mail: [EMAIL PROTECTED] > > > > > > > > > -- > > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > For human help, e-mail: [EMAIL PROTECTED] > > > > -- > > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > For human help, e-mail: [EMAIL PROTECTED] > > > > >-- >** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
