WebApp Sec mailing list archives
Re: ColdFusion - CFID & CFTOKEN
From: ron thigpen <ron () fuzzsonic com>
Date: Wed, 11 May 2005 11:47:09 -0400
Jason binger wrote:
I am currently doing some work with CF MX 6.1 and was wondering if anyone had some information on the strength of the CF cookie implementation.
Since CFMX it has been an option to use J2EE session management. In this case, the session would be indentified by the J2EE jsessionid.
The CFID/CFTOKEN method is still available for backwards compatibility, but may be disabled via a server setting.
from: <http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/shared10.htm> <quote>You can configure ColdFusion MX to use J2EE servlet session management instead of ColdFusion session management for session variables. This method of session management does not use CFID and CFToken values, but does use a client-side jsessionid session management cookie. For more information on using J2EE session management, see ColdFusion and J2EE session management.
</quote> more here: <http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18232> --rt
Current thread:
- ColdFusion - CFID & CFTOKEN Jason binger (Apr 13)
- RE: ColdFusion - CFID & CFTOKEN Andrew van der Stock (Apr 13)
- Re: ColdFusion - CFID & CFTOKEN Rogan Dawes (Apr 14)
- Re: ColdFusion - CFID & CFTOKEN Amit Klein (AKsecurity) (Apr 18)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
- Re: ColdFusion - CFID & CFTOKEN leighm (May 15)