RE: jsessionid

[Dan Blackman]

Title: RE: jsessionid

You just wrote the rest of the Users Group Again!  J   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joy, Jeff Sent: Monday, January 17, 2005 10:38 AM To: 'list@dfwcfug.org' Subject: RE: jsessionid   Dan,   Greetings, my name is Jeff Joy.  I had written you and the rest of this users group on Friday.  I hope that I've caught you at an auspicious time.  Listen, long story short, I have some contract to hire opportunities open for some Coldfusion developers- two as a matter of fact.  Would you or anyone you know of be interested in discussing the opportunities?  If you know of anyone that we use, I can afford to give you a modest referral fee.  Please let me know what your thoughts are when you get a chance. Professional Regards, Jeff Joy 469-733-7851 Aquent Technologies -----Original Message----- From: Dan Blackman [mailto:[EMAIL PROTECTED]] Sent: Monday, January 17, 2005 9:27 AM To: list@dfwcfug.org Subject: RE: jsessionid Tom, The JsessionId lives in the Session scope.  If you want to pass it just set a URL var = session.jsessionId or if you want both I believe it's session.urltoken.  That is if you have Jession 's selected in the Admin as your session var of choice. Dan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Schreck, Tom Sent: Monday, January 17, 2005 7:37 AM To: list@dfwcfug.org Subject: RE: jsessionid Is jsessionid passed when addtoken="yes" attribute/value is added to cflocation?  Are there other ways jsessionid can be passed? Thanks   Tom Schreck 972-361-9943 -----Original Message----- From: Daniel Elmore [mailto:[EMAIL PROTECTED]] Sent: Friday, January 14, 2005 3:59 PM To: list@dfwcfug.org Subject: RE: jsessionid The jsessionid will function just like the cfid and cftoken values do. It identities the session and if it's in the url its a security hole. It would work the same way if you copied someone's cookie onto your computer and if the session was still activate it would grant you access. The fix: never pass these IDs in the URL. It can be dangerous also when the user exits the site and that ID is stored in someone else's server logs as a referral url. Daniel -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Schreck, Tom Sent: Friday, January 14, 2005 3:49 PM To: list@dfwcfug.org Subject: jsessionid   A user forwarded me a link which had a jsessionid in the url.  I clicked on the link and was logged in as that user.  What causes this and how do I fix it?   Thanks Tom Schreck Applications Developer Dresser, Inc. 15455 Dallas Parkway, Suite 1100 Addison, TX  75001-4690 972-361-9943 [EMAIL PROTECTED] ---------------------------------------------------------- To post, send email to list@dfwcfug.org To unsubscribe:    http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe:    http://www.dfwcfug.org/form_MemberRegistration.cfm ---------------------------------------------------------- To post, send email to list@dfwcfug.org To unsubscribe:    http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe:    http://www.dfwcfug.org/form_MemberRegistration.cfm ---------------------------------------------------------- To post, send email to list@dfwcfug.org To unsubscribe:    http://www.dfwcfug.org/form_MemberUnsubscribe.cfm To subscribe:    http://www.dfwcfug.org/form_MemberRegistration.cfm