Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: ColdFusion - CFID & CFTOKEN

Re: ColdFusion - CFID & CFTOKEN

From: ron thigpen <ron_at_fuzzsonic.com>
Date: Wed, 11 May 2005 11:47:09 -0400

Jason binger wrote:
> I am currently doing some work with CF MX 6.1 and was
> wondering if anyone had some information on the
> strength of the CF cookie implementation.

Since CFMX it has been an option to use J2EE session management. In
this case, the session would be indentified by the J2EE jsessionid.

The CFID/CFTOKEN method is still available for backwards compatibility,
but may be disabled via a server setting.

from:
<http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/shared10.htm>

<quote>
You can configure ColdFusion MX to use J2EE servlet session management
instead of ColdFusion session management for session variables. This
method of session management does not use CFID and CFToken values, but
does use a client-side jsessionid session management cookie. For more
information on using J2EE session management, see ColdFusion and J2EE
session management.
</quote>

more here:
<http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18232>

--rt
Received on May 11 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]