Ok, i'm skeptical. Are you absolutely positive that the header request being sent to the web server has the modified CFID and CFTOKEN? Have you used webscarab or a similar proxy to capture requests and modify them? Also, does this occur if you clear the CFID and CFTOKEN, and then hijack the session from a different computer/ip address?
CoolJJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289513 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
