[thelist] CF Session Variables
Joshua Olson
joshua at alphashop.net
Tue Oct 2 09:31:16 CDT 2001
: In what instance does "Session Stealing" occur?
Session stealing can occur when I begin using the tokens that someone else
has already used or is currently using. The tokens can be passed via a
cookie or via the URL (and maybe via form variables... not sure on this
one). The CFID and CFTOKEN are used by Cold Fusion to determine which set
of session variables are associated with the request. If the server is
getting messed up due to an error and memory is being corrupted, it is
possible that a particular CFID and CFTOKEN combination are pointing to
another valid session variable set. This can happen with locking errors (or
lack thereof) or internal overflow errors, which the 0 price *could* be
causing. Normally an error caused by a 0 (usually a divide by zero) would
through an error and cause the page to stop processing. Such an error would
be obvious to you and a user... unless that is that error trapping is
enabled and execution continues despite the error.
-joshua
More information about the thelist
mailing list