Once the session times out, it won't matter that the same CFID / CFTOKEN are being used. This is the same exact thing as letting a web page sit open for a few hours, then refreshing the page and being kicked out of the session. The Browser makes a request with the CFID / CFTOKEN values that it has in its cookies.
This is NOT a security risk, as far as I can see it. At least not if your session management is using cookie-based CFID / CFTOKEN values. ...................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ -----Original Message----- From: Michael Traher [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 17, 2007 9:34 AM To: CF-Talk Subject: session vulnerabilities If cfid and cftoken or jsessionid are copied and used later maliciously on the url, how should a site respond? How do folks guard against this? -- Mike T Blog http://www.socialpoints.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion 8 beta â Build next generation applications today. Free beta download on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283862 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4