Just my 2 cents here, CF will look at the URL.CFID and URL.CFTOKEN values to
determine the session when the CFAPPLICATION tag is called.

Therefore you can pass those values any way you want (for example hidden
form fields) just as long as you set the values into:
URL.CFID and URL.CFTOKEN
BEFORE calling CFAPPLICATION.

About session hijacking, to avoid that check the referrer and if not your
own domain force a new session:

<CFIF not FindNoCase(request.AppRoot,replace(CGI.HTTP_REFERER, "\", "/",
"all"))>
        <CFSET Cookie.CFID ="">
        <CFSET Cookie.CFTOKEN ="">
        <CFSET URL.CFID ="">
        <CFSET URL.CFTOKEN ="">
<CFELSEIF isDefined("Form.CFID") and isDefined("Form.CFTOKEN")>
        <CFSET URL.CFID = Form.CFID>
        <CFSET URL.CFTOKEN = Form.CFTOKEN>
</CFIF>

HTH,
Noam

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to