Those of you who use CFLOGIN should check out this TechNote. The long story short is - unfortunately - using session based cflogin is not safe. This is really, really unfortunate as the ability to tie cflogin to the session scope was one of the really nice things in 6.1. I'm very sad to this, but at the same time, I'm happy Macromedia posted about it as it is a security risk folks should know about. The next release of BlogCFC will revert back to using cookie-based cflogin.
Archived Comments
Would using J2EE session variables make any difference? I've found that since turning them on the session is terminated if ALL instances of the client used to login are closed.
Sorry, I'm not really sure.