Ok - supposing a hacker generates a valid session on a site, then invites others to click on a link with the same cfid cftoken on the url, meanwhile the hacker keeps the session alive.
Any visiters that click on the hackers link are now sharing their details with the hacker in the same session in theory. We are currently considering stripping cfid cftoken and jsessionid from the url scope in application.cfc. This means users must use cookies to use the site of course. Any thoughts? On 7/17/07, Ben Nadel <[EMAIL PROTECTED]> wrote: > > Once the session times out, it won't matter that the same CFID / CFTOKEN > are being used. This is the same exact thing as letting a web page sit > open for a few hours, then refreshing the page and being kicked out of > the session. The Browser makes a request with the CFID / CFTOKEN values > that it has in its cookies. > > This is NOT a security risk, as far as I can see it. At least not if > your session management is using cookie-based CFID / CFTOKEN values. > > > ...................... > Ben Nadel > Certified Advanced ColdFusion MX7 Developer > www.bennadel.com > > Need ColdFusion Help? > www.bennadel.com/ask-ben/ > > -----Original Message----- > From: Michael Traher [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 17, 2007 9:34 AM > To: CF-Talk > Subject: session vulnerabilities > > If cfid and cftoken or jsessionid are copied and used later maliciously > on the url, how should a site respond? > > How do folks guard against this? > > > -- > Mike T > Blog http://www.socialpoints.com/ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283869 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4