I care deeply for them all ;-)
On 7/18/07, Claude Schneegans <[EMAIL PROTECTED]> wrote:
>
> >>Unfortunately this may exclude AOL users
>
> Who cares about AOL user? ;-))
>
> --
> ___
> REUSE CODE! Use custom tags;
> See http://www.contentbox.com/claude/customtag
>>Unfortunately this may exclude AOL users
Who cares about AOL user? ;-))
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
On 7/17/07, Michael Traher <[EMAIL PROTECTED]> wrote:
> Unfortunately this may exclude AOL users that can end up getting different
> IP addresses per request because of the proxy setup they have.
I've *HEARD* of that potentially being a problem. But never seen actual proof.
In fact, phpBB does I
Unfortunately this may exclude AOL users that can end up getting different
IP addresses per request because of the proxy setup they have.
On 7/17/07, Claude Schneegans <[EMAIL PROTECTED]> wrote:
>
> >>supposing a hacker generates a valid session on a site, then invites
> others to click on a link
>>supposing a hacker generates a valid session on a site, then invites
others to click on a link with the same cfid cftoken on the url
Keep the IP address of the one who created the session in the session
variables, then refuse
any other connection in the same session from another IP.
--
_
Michael Traher wrote:
> Ok - supposing a hacker generates a valid session on a site, then invites
> others to click on a link with the same cfid cftoken on the url, meanwhile
> the hacker keeps the session alive.
>
> Any visiters that click on the hackers link are now sharing their details
> with
On 7/17/07, Michael Traher <[EMAIL PROTECTED]> wrote:
> We are currently considering stripping cfid cftoken and jsessionid from the
> url scope in application.cfc. This means users must use cookies to use the
> site of course.
>
> Any thoughts?
As long as you understand that a user can pretty easi
Ok - supposing a hacker generates a valid session on a site, then invites
others to click on a link with the same cfid cftoken on the url, meanwhile
the hacker keeps the session alive.
Any visiters that click on the hackers link are now sharing their details
with the hacker in the same session in
Once the session times out, it won't matter that the same CFID / CFTOKEN
are being used. This is the same exact thing as letting a web page sit
open for a few hours, then refreshing the page and being kicked out of
the session. The Browser makes a request with the CFID / CFTOKEN values
that it has
9 matches
Mail list logo