RE: How are CFID and CFTOKEN generated
CF checks to see if it exists before creating them. - Steve -Original Message- From: Bud [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 27, 2000 3:29 PM To: [EMAIL PROTECTED] Subject: How are CFID and CFTOKEN generated I've asked this before, but have never gotten a decent answer. Does anyone know? What stops two people from ending up with the same cfid and cftoken? Anything? Or is it random luck? -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: How are CFID and CFTOKEN generated
The CFID is a number incremented by one each time a new one is needed. How does CF know a new one is needed? Because Client or Session management is turned on in the CFAPPLICATION tag, and CF didn't get one as a cookie, URL or Form var when the page was called. Really, a CFID should be all that is required to identify a session. Unfortunately, that would make for a very insecure app because user's could easily "guess" another session's CFID and hijack the session. Therefore, a CFTOKEN is used to make the CFID harder to guess. The CFTOKEN is a randomly generated number which provides security against someone guessing a CFID number. The CFID/CFTOKEN pair is very unique and hard to guess. -Cameron Cameron Childress McRae Communications p. 770-460-7277 x.232 f. 770-460-0963 > -Original Message- > From: Bud [mailto:[EMAIL PROTECTED]] > Sent: Sunday, August 27, 2000 3:29 PM > To: [EMAIL PROTECTED] > Subject: How are CFID and CFTOKEN generated > > > I've asked this before, but have never gotten a decent answer. Does > anyone know? What stops two people from ending up with the same cfid > and cftoken? Anything? Or is it random luck? > -- > > Bud Schneehagen - Tropical Web Creations > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > ColdFusion Solutions / eCommerce Development > [EMAIL PROTECTED] > http://www.twcreations.com/ > 954.721.3452 > -- > > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ > To Unsubscribe visit > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf > _talk or send a message to [EMAIL PROTECTED] with > 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: How are CFID and CFTOKEN generated
On 8/27/00, Cameron Childress penned: >The CFID is a number incremented by one each time a new one is needed. How >does CF know a new one is needed? Because Client or Session management is >turned on in the CFAPPLICATION tag, and CF didn't get one as a cookie, URL >or Form var when the page was called. > >Really, a CFID should be all that is required to identify a session. >Unfortunately, that would make for a very insecure app because user's could >easily "guess" another session's CFID and hijack the session. Therefore, a >CFTOKEN is used to make the CFID harder to guess. The CFTOKEN is a randomly >generated number which provides security against someone guessing a CFID >number. The CFID/CFTOKEN pair is very unique and hard to guess. Wonderful. Thank you. :) -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: How are CFID and CFTOKEN generated
> Really, a CFID should be all that is required to identify a session. > Unfortunately, that would make for a very insecure app because > user's could > easily "guess" another session's CFID and hijack the session. > Therefore, a > CFTOKEN is used to make the CFID harder to guess. The CFTOKEN is > a randomly > generated number which provides security against someone guessing a CFID > number. The CFID/CFTOKEN pair is very unique and hard to guess. > -Cameron Or, using an analogue, CFID is the "username" and CFTOKEN is the "password". Same effect. --min -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
