there are some good MM technotes on this. -----Original Message----- From: Niklas Richardson [mailto:[EMAIL PROTECTED]] Sent: 14 October 2002 10:02 To: [EMAIL PROTECTED] Subject: RE: [ cf-dev ] addtoken="No"
The docs aren't actually very clear. You can never be sure whether a user will have cookies turned on or not. I also find that passing URLTOKEN in pre-CFMX application would help guarantee that sessions / client vars would be stored and passed correctly, and no session hijacking would occur. Infact, after the complete hassle of using SESSIONs in CF4.5 I gave up using them altogether and only stuck with CLIENT vars. However this has changed in CFMX as it actually works now! I know these arguments are particularly solid...but I've found that since doing that I ain't had any problems! > -----Original Message----- > From: Robertson-Ravo, Neil (REC) > [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 14, 2002 9:46 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ cf-dev ] addtoken="No" > > > really? thats not what the docs state? they say never pass > the CFID/CFTOKEN > unless you are not using cookies..... > > > > -----Original Message----- > From: Niklas Richardson [mailto:[EMAIL PROTECTED]] > Sent: 14 October 2002 09:43 > To: [EMAIL PROTECTED] > Subject: RE: [ cf-dev ] addtoken="No" > > > If you are using Client variables (or even session vars) not > passing the > URLTOKEN will sometimes 'cause sessions to go nuts. > > You will always need to pass URLTOKEN if you want to > guarantee that your > sessions will not get hijacked! > > If you set addtoken="no" you will then need to explicitly pass the > URLTOKEN in the string. > > Cheers > > Niklas > > > > > -----Original Message----- > > From: Robertson-Ravo, Neil (REC) > > [mailto:[EMAIL PROTECTED]] > > Sent: Friday, October 11, 2002 9:32 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ cf-dev ] addtoken="No" > > > > > > Ah, I always set it to no. > > > > -----Original Message----- > > From: Giles Roadnight [mailto:[EMAIL PROTECTED]] > > Sent: 11 October 2002 09:32 > > To: [EMAIL PROTECTED] > > Subject: Re: [ cf-dev ] addtoken="No" > > > > > > I thought that the default was to add a token. If I leave the > > attribute off > > I always get the token added. > > ----- Original Message ----- > > From: "Robertson-Ravo, Neil (REC)" > > <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, October 11, 2002 9:25 AM > > Subject: [ cf-dev ] addtoken="No" > > > > > > > Anyone had any problems where not adding addtoken="no" to > > the cflocation > > tag > > > will cause it to add the token. > > > > > > CF4.5x > > > > > > Thanks > > > > > > N > > > > > > -- > > > ** Archive: > > http://www.mail-archive.com/dev%> 40lists.cfdeveloper.co.uk/ > > > > > > > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > For human help, e-mail: [EMAIL PROTECTED] > > > > > > > > > -- > > ** Archive: > http://www.mail-archive.com/dev%> 40lists.cfdeveloper.co.uk/ > > > > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > For human help, e-mail: [EMAIL PROTECTED] > > > > -- > > ** Archive: > http://www.mail-archive.com/dev%> 40lists.cfdeveloper.co.uk/ > > > > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > For human help, e-mail: [EMAIL PROTECTED] > > > > > -- > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > For human help, e-mail: [EMAIL PROTECTED] > > -- > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > For human help, e-mail: [EMAIL PROTECTED] > -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
