Hi All,
Normally if a request is going to a CF server then the server wil generate two tokens CFID (say 100) and CFTOKEN (say 200) and this save as session cookies in broweser. This mechanism is for maintaining a session. And now if the session got expired , say after 20 mints , then the server will generate new tokens(say 300 and 400). This is how a CF session management is working , if I am not wrong.
I think in most of the cases we are not using the generated token(CFID and CFTOKEN) in our cfm or cfc code , atleast I didnt use. So my question is what is the real use of CFID and CFTOKEN untill and unless we are using those tokens while coding??. These questions arised in my mind when I was fixing some vulnerability issues as part of PCI scan where I had to secure session cookies. So I was thinking like was it really necessary to secure those session cookies as we are not using those cookies anywhere in our application rather those cookies are just used for session management.Or what an hacker can do if he/she is able to steal those cookies.
Any thoughts on this.