[thelist] CF: cookie versus cflocation?!?

[Joshua OIson]

It seems like a sound idea to use a redirection because it eliminates that
pesky resubmit dialog box that plagues users who refresh pages generated
from a form submission.  But, the reason a cookie followed by a redirection
fails to set the cookie is because the redirection wipes out the page
header, which would normally include the cookies you wish to set.

One solution might be including in the redirection a flag (represented as a
url scope variable) that will indicate to the new page that it should lay
the cookie when the page is rendered and pushed back to the client.  You
would have to be sure that the page cflocated to could never be called
directly by a client, or else they could technically hack a login.

If you were so inclined, you could even pas CFID and CFTOKEN as the url
arguments that would indicate the need to issue the cookie.  That would give
you the benefit of being able to use the timeouts on session variables to
reduce the possibility of session hijacking.  Then, drop the two tokens in
subsequent links and rely soley on the cookie for session managemnet.

-joshua