Is it possible for a user to have access to modify the session variables that are being stored on their computer? Like lets say i stored a session variable on someones computer that was <cfset session.number = 100>, would they have the ability to edit that session variable to be a different number?
Thanks,
Ben
Umm, no.
Because the session variable is NOT stored on the client system. It is stored on the server.
What is sent to the client is a token that is sent with every request that lets the server know what requests belong with what session data.
By default this token is a set of cookies called CFID and CFTOKEN but one can alternately configure ColdFusion to use a different cookie called JSESSIONID. This latter has the benefits of automatically being a memory cookie that is discarded when the browser closes and being common to JRUN JSP sessions if one ever needs to coordinate with such a system.
There are known risks that if somebody can guess any existing and current tokens available on the server they can hijack that session. This is somewhat more risky if one chooses to use get (aka URL) variables for the tokens rather then cookies. But few bother with this option these days.
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
AdChoices