Is jsessionid passed when addtoken="yes" attribute/value is added to cflocation? Are there other ways jsessionid can be passed?
Thanks Tom Schreck 972-361-9943 -----Original Message----- From: Daniel Elmore [mailto:[EMAIL PROTECTED] Sent: Friday, January 14, 2005 3:59 PM To: [email protected] Subject: RE: jsessionid The jsessionid will function just like the cfid and cftoken values do. It identities the session and if it's in the url its a security hole. It would work the same way if you copied someone's cookie onto your computer and if the session was still activate it would grant you access. The fix: never pass these IDs in the URL. It can be dangerous also when the user exits the site and that ID is stored in someone else's server logs as a referral url. Daniel -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Schreck, Tom Sent: Friday, January 14, 2005 3:49 PM To: [email protected] Subject: jsessionid A user forwarded me a link which had a jsessionid in the url. I clicked on the link and was logged in as that user. What causes this and how do I fix it? Thanks Tom Schreck Applications Developer Dresser, Inc. 15455 Dallas Parkway, Suite 1100 Addison, TX 75001-4690 972-361-9943 [EMAIL PROTECTED] ---------------------------------------------------------- To post, send email to [email protected] To unsubscribe: http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe: http://www.dfwcfug.org/form_MemberRegistration.cfm ---------------------------------------------------------- To post, send email to [email protected] To unsubscribe: http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe: http://www.dfwcfug.org/form_MemberRegistration.cfm
