Connie DeCinko wrote: > No, even so, that is a major bug in ColdFusion and or sandboxing, or at > least a problem with the configuration. This means that someone could > maliciously decide to hijack my site just because they are on the same box > and guessed my application name.
It is documented behaviour, so it is not a bug but a gotcha: "You can have multiple Application.cfc files, Application.cfm files, and cfapplication tags that use the same application name. In this case, all pages that have the same name share the same application settings and Application scope and can set and get all the variables in this scope." http://livedocs.macromedia.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00001111.htm#1165302 I think it would be neat if you could 'lock' applications and sessions so they can only be loaded after / during inclusion of the same application.cfc that ran the onApplication/SessionStart. In fact, I just suggested that to Macromedia: http://www.macromedia.com/go/wish/ Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:204131 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
