RE: How are CFID and CFTOKEN generated
CF checks to see if it exists before creating them. - Steve -Original Message- From: Bud [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 27, 2000 3:29 PM To: [EMAIL PROTECTED] Subject: How are CFID and CFTOKEN generated I've asked this before, but have never gotten a decent answer. Does anyone know? What stops two people from ending up with the same cfid and cftoken? Anything? Or is it random luck? -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: How are CFID and CFTOKEN generated
The CFID is a number incremented by one each time a new one is needed. How does CF know a new one is needed? Because Client or Session management is turned on in the CFAPPLICATION tag, and CF didn't get one as a cookie, URL or Form var when the page was called. Really, a CFID should be all that is required to identify a session. Unfortunately, that would make for a very insecure app because user's could easily "guess" another session's CFID and hijack the session. Therefore, a CFTOKEN is used to make the CFID harder to guess. The CFTOKEN is a randomly generated number which provides security against someone guessing a CFID number. The CFID/CFTOKEN pair is very unique and hard to guess. -Cameron Cameron Childress McRae Communications p. 770-460-7277 x.232 f. 770-460-0963 -Original Message- From: Bud [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 27, 2000 3:29 PM To: [EMAIL PROTECTED] Subject: How are CFID and CFTOKEN generated I've asked this before, but have never gotten a decent answer. Does anyone know? What stops two people from ending up with the same cfid and cftoken? Anything? Or is it random luck? -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf _talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: How are CFID and CFTOKEN generated
On 8/27/00, Cameron Childress penned: The CFID is a number incremented by one each time a new one is needed. How does CF know a new one is needed? Because Client or Session management is turned on in the CFAPPLICATION tag, and CF didn't get one as a cookie, URL or Form var when the page was called. Really, a CFID should be all that is required to identify a session. Unfortunately, that would make for a very insecure app because user's could easily "guess" another session's CFID and hijack the session. Therefore, a CFTOKEN is used to make the CFID harder to guess. The CFTOKEN is a randomly generated number which provides security against someone guessing a CFID number. The CFID/CFTOKEN pair is very unique and hard to guess. Wonderful. Thank you. :) -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: How are CFID and CFTOKEN generated
Really, a CFID should be all that is required to identify a session. Unfortunately, that would make for a very insecure app because user's could easily "guess" another session's CFID and hijack the session. Therefore, a CFTOKEN is used to make the CFID harder to guess. The CFTOKEN is a randomly generated number which provides security against someone guessing a CFID number. The CFID/CFTOKEN pair is very unique and hard to guess. -Cameron Or, using an analogue, CFID is the "username" and CFTOKEN is the "password". Same effect. --min -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
