Yes - the moral of the story is that you should use J2EE sessions if you care about security (which has been the case since they were introduced in CF 6).
On 9/26/07, Mike Chabot wrote: > I did further testing and verified that using UUIDs for the cftokens > does not address the security vulnerability. If you specify that you > want to use UUIDs, CF Server doesn't seem to check that the token is a > valid UUID. > > On the other hand, using jsessions behaves as expected. If you clear > out the jsessionid, you get assigned a new one on the next page hit. > > -Mike Chabot -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289483 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
