Generally, I expire the validity of the id / token pair as soon as its
been used :)
-joe
----- Original Message -----
From: Dave Watts <[EMAIL PROTECTED]>
Date: Sat, 31 Jul 2004 15:19:34 -0400
Subject: RE: How to make CF session variables available to PHP
To: CF-Talk <[EMAIL PROTECTED]>
> > Create a table with three columns: id, token, and
> > sessionData. When leaving CF, do a CF -> WDDX of the
> > session struct (or implement your own native way of
> > serializing the session data), insert it and unique
> > ID / token values into the table, and pass off to your
> > PHP page with a myPage.php?id=#id#&token=#token#. Then,
> > on the PHP side, hit the table for a matching id/token
> > pair, return the data, kill the row, and de-serialize
> > into php data.
>
> A word of warning - do the passing-over in a cookie or
> something otherwise you are opening up your site to a big
> security hole.
I don't think this is a big security hole. There's nothing wrong with
passing identifying tokens via the URL - this is done all the time,
especially for sites that don't want to rely on cookies. The only real issue
I've run into with this is that people might send links to other people, and
those links would allow those other people into the sessions if they still
exist.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444________________________________
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
