The point is with client variables... There is no way that the user can mess with it... Hashed or not... And even UUID's can be guessed... Not very easily... But possible... But I guess it's sort of like trying to guess sessions at that point...
I still don't know how hashing something helps... Security by obscurity? If you take a userID 123456 and you hash it and it becomes ABCDEF (or whatever the hash function produces), why can't a smart user has a userID 123457 using CF and set the cookie? I mean he'd have to know that you're hashing the userID and storing it in his cookie, but this is easily guessable... -----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: Monday, November 28, 2005 7:03 PM To: CF-Talk Subject: Re: pseudo-memory leak You would always hash any information that the user could mess with, no matter what it is. And you should have validation on all of it too. the same as if you had url variables. Use an uuid for a userid if you are worried about them changing it. 10 bucks says they dont guess anyone right but their own in 10 tries. ;) On 11/28/05, Russ <[EMAIL PROTECTED]> wrote: > Cookies are not very secure now, are they? Lets say I was going to > let the user be logged in, and I wanted that to persist... So I would do.. > > Client.userId=123456 > > Now, the user has no way to change that... Now, lets say I store it in > the cookie... > > <Cfcookie name="userId" value="123456"> > > Now, the user can examine their cookies and know their userid. Worse, > they can change the userid, and be logged in as a different user. > > Russ > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Monday, November 28, 2005 2:04 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > I have never really found a need for client variables. What benefit > do they really offer? The only time I could see using them is when > you had something that you might think about storing in a cookie. I > rarely come across a need like that where I dont really want a cookie, > and if I do I usually just store it in the session. Am I missing > something there? > > On 11/28/05, Russ <[EMAIL PROTECTED]> wrote: > > Are you still running another server on BD? How is BD handling this > issue? > > > > -----Original Message----- > > From: Michael Dinowitz [mailto:[EMAIL PROTECTED] > > Sent: Monday, November 28, 2005 1:38 PM > > To: CF-Talk > > Subject: pseudo-memory leak > > > > I've written up my thoughts on what looks like the problem that the > > House of Fusion server was facing for the last few weeks. It's a > > problem that probably affects others but I'm not going to comment on > > how wide spread it is until the full write-up on Fusion Authority. > > These are just my notes and thoughts. > > http://www.blogoffusion.com/index.cfm/2005/11/28/pseudomemory-leak > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225472 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
