Ed, yea, I figured that much. My question really should have been: Why not just keep
the CFID/CFTOKEN in the URL query string? Perhaps the non-obvious part of this is
that you can still have a standard query string attached to a SES URL. Or at least it
works with WebSite and Apache, not sure about IIS.
Consider what happens when a search engine indexes your site including the
CFID/CFTOKEN identifiers in the SES URL.... Depending on your structure, they might
all end up assuming the *same* session or client identity, or throwing timeout errors,
viewing other people's shopping carts... all sorts of nasty stuff (theoretically,
anyway).
Cheers,
-Max
At 2/5/2001 11:55 AM -0500, you wrote:
>Max,
>
>I don't necessarily want cfid/cftoken to be indexed by search engines.
>However if I do want any kind of cookie-less session management on the site
>then I MUST have cfid/cftoken combos on every form submit and url on the
>site otherwise when a user clicks on a link or submits a form that doesn't
>have the CFID/CFTOKEN combo in it we can't find their session. Or worse a
>new CFID/CFTOKEN combo is assigned to them and I just lost their session
>information. If you have cookies enabled it's no big deal. But a lot of
>people are paranoid and I have to accomodate their needs which means sending
>CFID/CFTOKEN on EVERY single url and form submit on the page.
>
>ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
