Sorry, that's just completely wrong.
Any page, anywhere on the server, can use your Application name and
get your Application scope variables; this can't even be prevented
with sandboxing. If I have access to createObject("java") (which can
be sandboxed out), I can even use the service factory to get your
application name (and the app names for everyone else) and get
everything in your application (and for that matter your sessions
too).
In fact I have a session tracker for monitoring purposes on our
servers that relies on this ability.
On 9/21/07, Brian Kotek wrote:
> They can't, and I'm 99% sure they never have been. The only code that can
> read an application variable is code that lives under a directory where the
> cfapplication tag with that application name. Many people store this info
> in an application-scoped Config CFC and pass that into whatever other CFCs
> need it.
>
> On 9/21/07, Andrew Grosset wrote:
> >
> > I use the request scope for database name, username & password for
> > cfqueries since I believe application variables can be read by all on a
> > shared server - not sure if this is still the case though.
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
ColdFusion is delivering applications solutions at at top companies
around the world in government. Find out how and where now
http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289181
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
