At 02:25 PM 29-08-2001 -0400, Jeff Jancula wrote: >BACKGROUND: > >When a Internet browser user visits IIS or ColdFusion hosted web sites, the web server issues browser commands similar to: > >(for IIS) Set-Cookie: ASPSESSIONID=BBBBBBBBABCDEFGHIJKLMNOP >(for CF) Set-Cookie: CFID=123 >(for CF) Set-Cookie: CFTOKEN=4567890 > >The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values with each subsequent request to the web server. IIS and ColdFusion use these values to identify and track each user. > What does CFID=123 mean to cold fusion? Is that the user/session ID? Does that mean an attacker can just send CFID=123 and CFTOKEN=ANYTHING and Cold Fusion will think it's the same user/session? If it does then it's a very big problem. If it doesn't, then it may not be a problem unless your application assumes that just having a session means it's a valid user. Cheerio, Link.
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 07:59:05 PDT