Ian, One thing you might want to look at is Authentix. It provides more robust security thant winnt challenge/response. It can block individual pages and images based upon referrer, IP, NT Login, ODBC database, etc. Very very powerful and does not require cookies. It is a COM component that integrates w/ CF using CFOBJECT. Of course, your hosting company will have to install it for you if this isn't on your own server. I think they've upgraded it to some product called web quote but you might be able to pick either one. http://www.flicks.com/
You are going to have to watch URL/FORM hacks. Assume that users wanting to break in will view source. Use CFQUERYPARAM and CFPROCPARAM whenever possible. If you are using cookies for state/session information, you may want to investigate SSL cookies. Just my 0.02. Fregas ----- Original Message ----- From: "Ian Skinner" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, December 30, 2002 4:58 PM Subject: User Name/Password Concepts > I am writing a User ID/Password login in for a commercial, registered > members only type, Internet site. Not adult orientated if you care *S*. > > I've written simple CF Login functions before, but this current project that > is going to require a little more true security then I've dealt with before. > I'm asking all the guru's and other experienced CF developers if you can > help with some ideas. Basically I want to provide a fairly secure site that > doesn't turn away potential users/members/customers. > > What I'm interested in is comments and ideas on balancing Security verses > User Convince. Also, what issues do I need to consider when I'm building > this to increase the difficulty to hack my code and/or users logins as much > as practical. Would I want to blend other security features in to this (NT > Security for example)? > > Ian Skinner > Developer > Ilsweb > [EMAIL PROTECTED] > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com