-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> So if I think this out logically, the ONLY way to ensure
> absolute security is if the user has their cookies turned on.
Well... That's not 100% secure either. It *is* possible for a
malicious user to share his cookies with others. A malicious user
could ALSO manually add ?CFID=XXX&CFTOKEN=XXX to any URL on their
site & assume someone else's session.
And someone mentioned that using Session variables was secure before.
That's not true either. Session variables are "keyed" to the CFID &
CFTOKEN values in the cookies or the URLToken. If your user
manipulates his cookies or the URLToken, he has effectively become
the other session. So even if you're using session variables, your
user can get all of those session variables by changing his CFID &
CFTOKEN. That's exactly what happened to us.
Now... That's not to say that cookies aren't better than URLTokens.
They are from a security standpoint. While a user could accidently
pass on a URL that had a URL token to someone else, he'd have to go
out of his way to share his cookie data. Cookies basically keep
honest people honest...
And speaking of cookies... I am inclined to wonder what the big deal
about cookies is. All of our CF sites require cookies, and I've yet
to get any complaints about them. We have the following as part of
our privacy policy page:
>>>>
6) How do we use Cookies?
All of our sites use cookies to identify your account & to improve
your browsing experience. On our membership sites, cookies are
required to login & access members' services. The cookies we use
contain only an anonymous user ID number which our servers use to
verify that you are a valid, logged in member. If you do not accept
the cookies we send to your browser, you will not be able to access
any part of our members services.
Our merchandise sites use cookies to track the contents of your
shopping cart and to identify you once you login to complete a
purchase. As with our membership sites, the cookies we send contain
only an anonymous user ID number. If you do not accept the cookies we
send to your browser, you will not be able to make purchases from our
sites.
For the technically minded, here are the exact cookies we use:
CFID -- A random number
CFTOKEN -- Another random number
That's all we send!
<<<<
That seems to be enough to make everyone happy...
Best regards,
Zac Bedell
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOcohpwraVoMWBwRBEQJkKQCg3bwo6KbDx/jcwJqyyIWtKpLAfA0Anj8n
pdSPsNLPITgGXLg0InbPYE+6
=Cu+w
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
