Re: session vulnerabilities

I care deeply for them all ;-) On 7/18/07, Claude Schneegans [EMAIL PROTECTED] wrote: Unfortunately this may exclude AOL users Who cares about AOL user? ;-)) -- ___ REUSE CODE! Use custom tags; See

RE: session vulnerabilities

Once the session times out, it won't matter that the same CFID / CFTOKEN are being used. This is the same exact thing as letting a web page sit open for a few hours, then refreshing the page and being kicked out of the session. The Browser makes a request with the CFID / CFTOKEN values that it has

Re: session vulnerabilities

Ok - supposing a hacker generates a valid session on a site, then invites others to click on a link with the same cfid cftoken on the url, meanwhile the hacker keeps the session alive. Any visiters that click on the hackers link are now sharing their details with the hacker in the same session in

Re: session vulnerabilities

On 7/17/07, Michael Traher [EMAIL PROTECTED] wrote: We are currently considering stripping cfid cftoken and jsessionid from the url scope in application.cfc. This means users must use cookies to use the site of course. Any thoughts? As long as you understand that a user can pretty easily

Re: session vulnerabilities

Michael Traher wrote: Ok - supposing a hacker generates a valid session on a site, then invites others to click on a link with the same cfid cftoken on the url, meanwhile the hacker keeps the session alive. Any visiters that click on the hackers link are now sharing their details with the

Re: session vulnerabilities

supposing a hacker generates a valid session on a site, then invites others to click on a link with the same cfid cftoken on the url Keep the IP address of the one who created the session in the session variables, then refuse any other connection in the same session from another IP. --

Re: session vulnerabilities

Unfortunately this may exclude AOL users that can end up getting different IP addresses per request because of the proxy setup they have. On 7/17/07, Claude Schneegans [EMAIL PROTECTED] wrote: supposing a hacker generates a valid session on a site, then invites others to click on a link with

Re: session vulnerabilities

On 7/17/07, Michael Traher [EMAIL PROTECTED] wrote: Unfortunately this may exclude AOL users that can end up getting different IP addresses per request because of the proxy setup they have. I've *HEARD* of that potentially being a problem. But never seen actual proof. In fact, phpBB does

Re: session vulnerabilities

Unfortunately this may exclude AOL users Who cares about AOL user? ;-)) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks.