Quoting Andy Ousterhout <[EMAIL PROTECTED]>: > > What do you mean, maintained on the client?
The client has to send the CFID and CFToken. If the client doesn't do that, the server will not be able to associate the appropriate session variables with the client request. That is not a problem when users are logged out when the session fails, but leaves a security risk if the client is allowed more when the session is not present. Simply refusing the cookies with the CFID and CFToken would give me an unlimited number of login attempts. Always design systems with a fail-close behaviour. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.