Depending on how your application works, someone could go CFID/CFTOKEN searching trying to find a still active session and try to hijack that session. I've seen it done by accident. Moving your client variables to a 36bit UUID helps with this and what I've done is created a timeoutvariable just in the case the user doesn't log out (and the client variable leaves him logged in) I note the date/time of his last visit and if its greater than "15" minutes of no activity (or whatever acceptable value for you) it clears the variables and requests re-authentication.
-----Original Message----- From: Ben Schwemlein [mailto:[EMAIL PROTECTED] Sent: Sunday, March 09, 2003 8:45 PM To: CF-Talk Subject: Hacking Client Variables? Can anyone suggest a way to hack a query that has "WHERE userid = '#CLIENT.userid#'" in CF 5 and/or MX? Another developer has an application that has sensitive customer information that is encrypted at the database level, but not at the ColdFusion level. I think this is not secure, but I want some evidence before I make an objection. Any suggestions would help. Our client variables are contained in the Database, and the client IDs are sequential. If there is some way to externally hack and set the client variable, then a Hacker could get all customer info. Thanks, Ben ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4