Michael Traher wrote: > Ok - supposing a hacker generates a valid session on a site, then invites > others to click on a link with the same cfid cftoken on the url, meanwhile > the hacker keeps the session alive. > > Any visiters that click on the hackers link are now sharing their details > with the hacker in the same session in theory.
The hacker is sharing his details with the visitors, not the other way around. For the visitors to share their details with the hacker they would have to enter them during the session or log on while their existing session remains active. If you are concerned about that, make sure that on a logon page users switch sessions. > We are currently considering stripping cfid cftoken and jsessionid from the > url scope in application.cfc. This means users must use cookies to use the > site of course. That would indeed add some obscurity. I would prefer the security from switching a users session on logon. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283899 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4