Duncan, I can't think of any security concern to note. As for your 3rd question, there is indeed a way to do it without this old trick. It's new as of CFMX 6, and involves the new "J2EE sessions" feature that's settable in the Admin console. That means it's for all apps on a server. It can't be set in application.cfm or .cfc. I wrote about it when it came out, in an Aug 2002 CFDJ article:
New Possibilities for Session and Client Variable Handling in CFMX http://cfdj.sys-con.com/read/41646.htm Hope that helps. /Charlie http://www.carehart.org/blog/ -----Original Message----- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 22, 2007 6:35 PM To: cfaussie Subject: [cfaussie] session only cookies with the cfapplication tag I cant work out why I never came across this before but can someone answer this for me? Apologies for asking an age old question thats probably been asked a million times. This tag makes a user use a file based cookie, this means that logging in to one site in one browser window will result in the same sesison in a completely new instance of the browser. <cfapplication Name="#cgi.http_host#46" ClientManagement="Yes" SessionManagement="Yes" SetClientCookies="Yes" sessiontimeout="#CreateTimeSpan(0,2,0,0)#" ApplicationTimeout="#CreateTimeSpan(0,2,0,0)#" > The following combination of cfapplication and cfcookie makes an in memory cookie. this means you can log in to site x in 2 different browsers with 2 different logins and maintain 2 different sessions on the same site. <cfapplication Name="#cgi.http_host#46" ClientManagement="Yes" SessionManagement="Yes" sessiontimeout="#CreateTimeSpan(0,2,0,0)#" ApplicationTimeout="#CreateTimeSpan(0,2,0,0)#" ClientStorage="red5_client_vars"> <cfcookie name="cfid" value="#Client.cfid#"> <cfcookie name="cftoken" value="#Client.cftoken#"> Firstly - whats the protocol as far as security here? Whats the general consensus - do y'all do the former or the latter? Does it depend on the application? Secondly - this has obvious testing advantages - i.e. being able to log in as 2 different user levels on the same site and flick to make sure things behave right. Thirdly - Can you do session only cookies without using the separate cfcookie tag? Thanks all! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
