Client variables can be stored in registry or database. Session variables
are purely in server memory.
Justin Kidman
-----Original Message-----
From: Mark Warrick [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 20, 2000 3:06 PM
To: [EMAIL PROTECTED]
Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
Just to reiterate - you should never pass variables that identify a certain
user through forms or URLs. If you do, you leave your system open for other
people to copy those params and screw with other's peoples records.
Use session variables. You can store the session variables in the registry
or in a database if you're worried about people not having cookies turned
on, but I really wouldn't worry about the cookie-fearing types and the
browsers that don't accept cookies. (God, do those browsers still exist?)
---mark
--------------------------------------------------------------
Mark Warrick
Phone: (714) 547-5386
Efax.com Fax: (801) 730-7289
Personal Email: [EMAIL PROTECTED]
Personal URL: http://www.warrick.net
Business Email: [EMAIL PROTECTED]
Business URL: http://www.fusioneers.com
ICQ: 346566
--------------------------------------------------------------
> -----Original Message-----
> From: Chris Montgomery [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 20, 2000 2:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
>
> Thanks for the comeback, Mark. My comments are below.
>
> >-----Original Message-----
> >From: Mark Warrick [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, September 20, 2000 4:20 PM
> >To: [EMAIL PROTECTED]
> >Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
> >
> >
> >Hi Chris,
> >
> >So long as there is a way to identify the current client as
> >the user of that URLToken, it shouldn't be a problem.
>
> Ok, I do this by setting appropriate session variables once they've
> successfully logged in, when necessary.
>
> >For example, if you were to set a session variable. But then
> >again, if you're using session variables, you don't need the
> >URLToken.
>
> Yes, I'm using SessionManagement and setting session variables, but now
> I want to account for instances where users may not be accepting cookies
> (which I haven't been doing to this point). Trying to cover all bases,
> so I've decided to pass the tokens via URL or Form variables.
>
> >Another thing you can do is set a cookie on the
> >client's machine to match the URLToken. It's not 100% secure,
> >but it's pretty good.
> >
>
> My client doesn't want to use cookies.
>
> >In general, I always use session variables as my primary means
> >of making sure that the client "logged in" is the right one.
> >
>
> As do I. So, to reiterate, you don't see a problem with passing the
> URLtoken "in the clear"?
>
> Thanks again.
>
> >---mark
> >
> >--------------------------------------------------------------
> >Mark Warrick
> >Phone: (714) 547-5386
> >Efax.com Fax: (801) 730-7289
> >Personal Email: [EMAIL PROTECTED]
> >Personal URL: http://www.warrick.net
> >Business Email: [EMAIL PROTECTED]
> >Business URL: http://www.fusioneers.com
> >ICQ: 346566
> >--------------------------------------------------------------
>
> <snip>
>
> ------------------------------------------------------------------
> ------------
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf
_talk or send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body.
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
