it's probably easier to copy the session to either the variable or the request scope, with LOCKS, and then do the stuff you want to it, and then copy it back to the session...
eg... (pseudo) cflock type=readonly scope=session request.session = duplicate(session) /cflock do stuff cflock type=exclusive scope=session session = duplicate(request.session) /cflock this way you don't have to lock every change, but only reading and writing, and it is quicker. ----- Original Message ----- From: "Giles Roadnight" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 14, 2002 10:01 AM Subject: RE: [ cf-dev ] addtoken="No" > Oh great, I've just spent weeks adding them to all of the links in my > site. > > BTW, proper locking - does this mean duplicating the session variable or > just setting a local variable to equal the session. > > > Giles Roadnight > http://giles.roadnight.name > > > -----Original Message----- > From: Robertson-Ravo, Neil (REC) > [mailto:[EMAIL PROTECTED]] > Sent: 14 October 2002 09:57 > To: '[EMAIL PROTECTED]' > Subject: RE: [ cf-dev ] addtoken="No" > > I agree Matt, > > rom what I have heard and from what I know.... passing the pair is a big > no > no, its a real security risk. You should never (unless forced) pass > them > via the URL.....hidden form fields maybe, but not the URL... > > > -----Original Message----- > From: Matt Horn [mailto:[EMAIL PROTECTED]] > Sent: 14 October 2002 09:49 > To: [EMAIL PROTECTED] > Subject: RE: [ cf-dev ] addtoken="No" > > > Nik are you saying that all CFapps MUST have cfid and CFtoken inthe URL > to > ensure no session hijacking? > > I disagree > AFAIK > if you lock properly your sessions should never get muddled > > is there some documentation to support your claim? > > *interested* > > Matt > > > > At 09:43 14/10/02 +0100, you wrote: > >If you are using Client variables (or even session vars) not passing > the > >URLTOKEN will sometimes 'cause sessions to go nuts. > > > >You will always need to pass URLTOKEN if you want to guarantee that > your > >sessions will not get hijacked! > > > >If you set addtoken="no" you will then need to explicitly pass the > >URLTOKEN in the string. > > > >Cheers > > > >Niklas > > > > > > > > > -----Original Message----- > > > From: Robertson-Ravo, Neil (REC) > > > [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, October 11, 2002 9:32 AM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ cf-dev ] addtoken="No" > > > > > > > > > Ah, I always set it to no. > > > > > > -----Original Message----- > > > From: Giles Roadnight [mailto:[EMAIL PROTECTED]] > > > Sent: 11 October 2002 09:32 > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ cf-dev ] addtoken="No" > > > > > > > > > I thought that the default was to add a token. If I leave the > > > attribute off > > > I always get the token added. > > > ----- Original Message ----- > > > From: "Robertson-Ravo, Neil (REC)" > > > <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Friday, October 11, 2002 9:25 AM > > > Subject: [ cf-dev ] addtoken="No" > > > > > > > > > > Anyone had any problems where not adding addtoken="no" to > > > the cflocation > > > tag > > > > will cause it to add the token. > > > > > > > > CF4.5x > > > > > > > > Thanks > > > > > > > > N > > > > > > > > -- > > > > ** Archive: > > > http://www.mail-archive.com/dev%> 40lists.cfdeveloper.co.uk/ > > > > > > > > > > > To unsubscribe, e-mail: > > > [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > For human help, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > -- > > > ** Archive: > http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > For human help, e-mail: [EMAIL PROTECTED] > > > > > > -- > > > ** Archive: > http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > For human help, e-mail: [EMAIL PROTECTED] > > > > > > > > >-- > >** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > >For human help, e-mail: [EMAIL PROTECTED] > > > -- > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > For human help, e-mail: [EMAIL PROTECTED] > > -- > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > For human help, e-mail: [EMAIL PROTECTED] > > > > -- > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > For human help, e-mail: [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
