WebApp Sec mailing list archives

Re: ColdFusion - CFID & CFTOKEN

From: ron thigpen <ron () fuzzsonic com>
Date: Wed, 11 May 2005 11:47:09 -0400

Jason binger wrote:

I am currently doing some work with CF MX 6.1 and was
wondering if anyone had some information on the
strength of the CF cookie implementation.

Since CFMX it has been an option to use J2EE session management. Inthis case, the session would be indentified by the J2EE jsessionid.

The CFID/CFTOKEN method is still available for backwards compatibility,but may be disabled via a server setting.


from:
<http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/shared10.htm>

<quote>

You can configure ColdFusion MX to use J2EE servlet session managementinstead of ColdFusion session management for session variables. Thismethod of session management does not use CFID and CFToken values, butdoes use a client-side jsessionid session management cookie. For moreinformation on using J2EE session management, see ColdFusion and J2EEsession management.

</quote>

more here:
<http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18232>

--rt

Current thread:

ColdFusion - CFID & CFTOKEN Jason binger (Apr 13)
- RE: ColdFusion - CFID & CFTOKEN Andrew van der Stock (Apr 13)
- Re: ColdFusion - CFID & CFTOKEN Rogan Dawes (Apr 14)
- Re: ColdFusion - CFID & CFTOKEN Amit Klein (AKsecurity) (Apr 18)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
  - Re: ColdFusion - CFID & CFTOKEN leighm (May 15)