Re: Best practices for xss security in CMS? - Related Question
On Wed, Mar 5, 2014 at 11:16 AM, Nick Gleason n.glea...@citysoft.comwrote: Hi Pete, I've been researching CSP and it sounds like a pretty cool option. But, I just wanted to follow up on this comment that you made below:-- it will also block inline scripts and style elements-- Are you saying that even if you have the self or default values in place, it will block a regular old script in your page? For instance, if you just have something like this:scriptCODE HERE/scriptThat will be a problem? Why? Hi Nick, Yes if you have the following: Content-Security-Policy: default-src 'self'; It will block any scriptcode here/script tags in your page, you can only use script src=/some/uri/script This is a recognized problem in CSP1.0 and CSP 1.1 is currently in development right now with two solutions for this use case, you can specify a nonce in the header, so you would do something like this: Content-Security-Policy: script-src 'self' 'nonce-random_string_123'; Then you can do this: script nonce=random_string_123code here/script You can do the same for inline style tags. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#nonce-usage-for-script-elements The second option in CSP1.1 is hash whitelisting, where you compute a hash of the script contents and put that in the header. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#hash-usage-for-script-elements -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357861 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
what is faster?
cfif(serializeJSON(qry1) eq serializeJSON(qry2)) to compare 2 queries or sticking the queries into an array and then cfif #qryArray1.equals(qryArray2)# IS YES ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357860 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: what is faster?
just turn on your debug output and you can test this yourself. runs the first code a few times, look at the average execution time now do the same for the second code On Thu, Mar 6, 2014 at 5:25 PM, Paul Ihrig pih...@gmail.com wrote: cfif(serializeJSON(qry1) eq serializeJSON(qry2)) to compare 2 queries or sticking the queries into an array and then cfif #qryArray1.equals(qryArray2)# IS YES ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357862 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: what is faster?
cfif(serializeJSON(qry1) eq serializeJSON(qry2)) to compare 2 queries or sticking the queries into an array and then cfif #qryArray1.equals(qryArray2)# IS YES TryCF.com is great for stuff like this. Plug this code into TryCF.com and give it a whirl... cfscript qry1 = queryNew(x,y,z); queryAddRow(qry1, 500); qry2 = queryNew(x,y,z); queryAddRow(qry2, 500); timeStart = getTickCount(); for (i=1; i lte 1000; i++) { x = serializeJSON(qry1) eq serializeJSON(qry2); } timeEnd = getTickCount(); writeOutput(pSerialize Time: timeEnd - timeStart ms/p); timeStart = getTickCount(); for (i=1; i lte 1000; i++) { x = qry1.equals(qry2); } timeEnd = getTickCount(); writeOutput(pArray Time: timeEnd - timeStart ms/p); /cfscript ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357863 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: what is faster?
or even www.cflive.net On Thu, Mar 6, 2014 at 5:48 PM, Justin Scott leviat...@darktech.org wrote: cfif(serializeJSON(qry1) eq serializeJSON(qry2)) to compare 2 queries or sticking the queries into an array and then cfif #qryArray1.equals(qryArray2)# IS YES TryCF.com is great for stuff like this. Plug this code into TryCF.com and give it a whirl... cfscript qry1 = queryNew(x,y,z); queryAddRow(qry1, 500); qry2 = queryNew(x,y,z); queryAddRow(qry2, 500); timeStart = getTickCount(); for (i=1; i lte 1000; i++) { x = serializeJSON(qry1) eq serializeJSON(qry2); } timeEnd = getTickCount(); writeOutput(pSerialize Time: timeEnd - timeStart ms/p); timeStart = getTickCount(); for (i=1; i lte 1000; i++) { x = qry1.equals(qry2); } timeEnd = getTickCount(); writeOutput(pArray Time: timeEnd - timeStart ms/p); /cfscript ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357864 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: SQL Global String Replace
Thanks everyone for the suggestions. I've tested the one at this link: http://www.mssqltips.com/sqlservertip/1555/sql-server-find-and-replace-values-in-all-tables-and-all-text-columns/ and it works perfectly. I mentioned previously that I was hoping to run it in CF, and that was partially because some of the hosts don't like to give direct access to the data bases on their servers. Regardless, after testing I can see it's a heavy load and have to agree with Ben Forta that it really should be run as a query in Studio. I'll deal with getting the access I need to run directly. Thanks, Robert Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357865 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL Global String Replace
you could just used a stored procedure which will save it directly to the database, and then execute it from CF On Thu, Mar 6, 2014 at 9:05 PM, Robert Harrison rob...@austin-williams.comwrote: Thanks everyone for the suggestions. I've tested the one at this link: http://www.mssqltips.com/sqlservertip/1555/sql-server-find-and-replace-values-in-all-tables-and-all-text-columns/and it works perfectly. I mentioned previously that I was hoping to run it in CF, and that was partially because some of the hosts don't like to give direct access to the data bases on their servers. Regardless, after testing I can see it's a heavy load and have to agree with Ben Forta that it really should be run as a query in Studio. I'll deal with getting the access I need to run directly. Thanks, Robert Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357866 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: SQL Global String Replace
you could just used a stored procedure which will save it directly to the database, and then execute it from CF That never even crossed my mind. Good idea. Thanks. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357867 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF session management suddenly not sticking ...
New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357868 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357869 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357870 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
so if you check the cookies after running your code, is there only one cfid and cftoken, or is there still 2 On Fri, Mar 7, 2014 at 12:17 AM, Money Pit websitema...@gmail.com wrote: Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357871 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Nope I was down to one pair, and it was the pair just generated via the cflocation. The code was doing its job. Another repeatable mystery: If I turn down IE8's security from the default of Medium-High to Medium it will always fix the problem. Same as with Private Browsing. On Thu, Mar 6, 2014 at 4:19 PM, Russ Michaels r...@michaels.me.uk wrote: so if you check the cookies after running your code, is there only one cfid and cftoken, or is there still 2 On Fri, Mar 7, 2014 at 12:17 AM, Money Pit websitema...@gmail.com wrote: Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357872 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
in your cflocation tags you need to use addtoken=no otherwise this can cause problems the IE security setting may be down to the cookie acceptance policy, I don't know why that would make a difference, but worth comparing the 2 settings to see how it differs. On Fri, Mar 7, 2014 at 12:50 AM, Money Pit websitema...@gmail.com wrote: Nope I was down to one pair, and it was the pair just generated via the cflocation. The code was doing its job. Another repeatable mystery: If I turn down IE8's security from the default of Medium-High to Medium it will always fix the problem. Same as with Private Browsing. On Thu, Mar 6, 2014 at 4:19 PM, Russ Michaels r...@michaels.me.uk wrote: so if you check the cookies after running your code, is there only one cfid and cftoken, or is there still 2 On Fri, Mar 7, 2014 at 12:17 AM, Money Pit websitema...@gmail.com wrote: Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357873 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Yup I'm doing that. Put together a test page so as to take all of my code out of the picture... although that back end has been fine for years... The redesign was just a re-skin. But to be thorough I made this: cfapplication name=test_0915 sessionmanagement=Yes clientmanagement=Yes sessiontimeout=#CreateTimeSpan(0,0,5,0)# applicationtimeout=#CreateTimeSpan(0,2,0,0)# setclientcookies=Yes setdomaincookies=No cfif isdefined(url.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop /cfif htmlheadtitlenew.lelandwest.com/test/hello.cfm /title/headbody cfoutput p#now()#/p a href=#cgi.script_name#?creset=1Clear cookie scope reload page/a p client:br#client.CFID# #client.cftoken#br cflock scope=SESSION type=readonly timeout=10 session:br#session.CFID# #session.cftoken#br /cflock cookie:br#cookie.CFID# #cookie.cftoken# /cfoutput /p cfdump var=#cookie# /body/html From the above I have learned that no matter what cfdump gives me two cfid's and two cftokens. but only for the old workstations running XP/IE8. Don't have good diagnostics installed yet to see complete cookie data. After some tinkering (i.e. getting desperate) I put in the setclientcookies and setdomaincookies entries and things now seem to be working across all test machines (4 of them). But I have had this turn around on me before so I'll revisit tomorrow when I get back in. :-| Thanks for your help! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357874 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
If you are going to be dumping things out in production, for the world to see, I would stop that habit. The last thing you want to do is annoy your clients / visitors with this stuff. People are not forgiving when they see these things on the screen, personally if you have to do this, for god sake lock this output down to your development IP address. Really Why do people insist on making changes directly on a production server... Seriously bad practice. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 7, 2014 at 12:56 PM, Money Pit websitema...@gmail.com wrote: Yup I'm doing that. Put together a test page so as to take all of my code out of the picture... although that back end has been fine for years... The redesign was just a re-skin. But to be thorough I made this: cfapplication name=test_0915 sessionmanagement=Yes clientmanagement=Yes sessiontimeout=#CreateTimeSpan(0,0,5,0)# applicationtimeout=#CreateTimeSpan(0,2,0,0)# setclientcookies=Yes setdomaincookies=No cfif isdefined(url.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop /cfif htmlheadtitlenew.lelandwest.com/test/hello.cfm /title/headbody cfoutput p#now()#/p a href=#cgi.script_name#?creset=1Clear cookie scope reload page/a p client:br#client.CFID# #client.cftoken#br cflock scope=SESSION type=readonly timeout=10 session:br#session.CFID# #session.cftoken#br /cflock cookie:br#cookie.CFID# #cookie.cftoken# /cfoutput /p cfdump var=#cookie# /body/html From the above I have learned that no matter what cfdump gives me two cfid's and two cftokens. but only for the old workstations running XP/IE8. Don't have good diagnostics installed yet to see complete cookie data. After some tinkering (i.e. getting desperate) I put in the setclientcookies and setdomaincookies entries and things now seem to be working across all test machines (4 of them). But I have had this turn around on me before so I'll revisit tomorrow when I get back in. :-| Thanks for your help! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357875 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm