On 2/15/07, Josh Nathanson <[EMAIL PROTECTED]> wrote: > Matt, can you explain exactly what the security issues are.
By exposing the cfid and cftoken you are announcing to the world what your session identifier is. In turn you are giving someone the opportunity to more easily manipulate it. Sure someone can accept a cookie, read the value off the hard drive and then have the same info (I suppose you could make the read more difficult by not writing a cookie to disk and only using a session cookie) but by passing it via the url you are making the job as easy as possible for the attacker. Its only one thin layer on the onion, but I'd rather have that layer on along with every other one I can get my hands on. On 2/15/07, Dinner <[EMAIL PROTECTED]> wrote: > In theory, it's exactly the same thing as using tokens. So you > change it with every request-- you've still got to get the old token > in! Lots of added complexity for the same end result. Not the same thing. Whatever hack is in progress would not be able to count on a constant cfid and cftoken value after the initial read. Since it keeps changing the hack would have to adapt to this. The job would be more difficult but its certainly not going to solve the problem of exposing the key pair and make the app bulletproof, by any stretch. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269969 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
