Those of you who use CFLOGIN should check out this TechNote. The long story short is - unfortunately - using session based cflogin is not safe. This is really, really unfortunate as the ability to tie cflogin to the session scope was one of the really nice things in 6.1. I'm very sad to this, but at the same time, I'm happy Macromedia posted about it as it is a security risk folks should know about. The next release of BlogCFC will revert back to using cookie-based cflogin.
(This post is more than 2 years old.)
TechNote on CFLOGIN
Support this Content!
If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!
Want to get a copy of every new post? Use the form below to sign up for my newsletter.
Archived Comments
Would using J2EE session variables make any difference? I've found that since turning them on the session is terminated if ALL instances of the client used to login are closed.
Sorry, I'm not really sure.