Have you ever read the docs? Not very descriptive.
So, one could set a session cookie with a value of the cftoken and cfid and
that would be individual throughout the server and application? And it
wouldn't be easily obtainable by anyone else?
Scott M. Berry :-: [Staff Developer]
annex.com, Inc. - http://www.annex.com/
----- Original Message -----
From: "Steve Bernard" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Saturday, November 18, 2000 3:13 PM
Subject: RE: Security
> That's CF's, and most products, method of tracking sessions, i.e. tokens
as
> cookies. It's all in the docs.
>
> Steve
>
> -----Original Message-----
> From: Scott M. Berry [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, November 18, 2000 2:34 PM
> To: CF-Talk
> Subject: Security
>
>
> Hello,
>
> One of my friends and coworker posted here about how to secure a web app.
He
> suggested storing part of the tickcount in a database and as a cookie, and
> then verify that the cookie exists and that the numbers are the same.
>
> I was wondering if there was a way to store a cookie that is some sort of
> session ID that CF assigns to each session, so all that would have to be
> done is a compare between the cookie and the session id.
>
> Any ideas?
>
> Scott M. Berry :-: [Staff Developer]
> annex.com, Inc. - http://www.annex.com/
>
>
> ----- Original Message -----
> From: "Jim McAtee" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Saturday, November 18, 2000 11:13 AM
> Subject: Re: HTTP Referrer
>
>
> > Rather than trying to use http_referer in your login page, try the
> following.
> > Depends a little on how you have your security system setup. If you're
> > including at the top of every secured page a template/code snippet to
> detect if
> > someone is currently logged in, have that bit of code note
> 'cgi.script_name',
> > which is the requested template. When that code redirects to the login
> page,
> > pass the template name to the login page and then pass it along as a
> hidden
> > field. If your security scheme has different levels of access be sure
to
> have
> > it also verify that the user is permitted to access the page in question
> at the
> > same time as you verify the username and password.
> >
> > Jim
> >
> >
> > -----Original Message-----
> > From: W Luke <[EMAIL PROTECTED]>
> > To: CF-Talk <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > Date: Saturday, November 18, 2000 10:59 AM
> > Subject: Re: HTTP Referrer
> >
> >
> > >
> > >> Relying on the referer to take a user back after loggin in is Not A
> Good
> > >> Idea(tm). Microsoft's IIS does not send the http_referer when not in
a
> > >> secure section of a site (e.g. https://) Here is the microsoft
article
> > >that
> > >> tells of their reasoning...
> > >>
> > >> http://support.microsoft.com/support/kb/articles/Q178/0/66.ASP
> > >>
> > >
> > >Thanks for the link. I'm running O'Reilly WebSite Pro, and have been
> > >testing this for the past few hours with IE, and it does seem to work
> very
> > >well.
> > >
> > >> One /excellent/ way around this is to use the Fusebox custom
> > >> tag CF_ReturnFuseAction by Steve Nelson. You don't even need to use
> any
> > >> other part of Fusebox. It works like a charm in both IE and Netscape.
> You
> > >> can find the tag on the Fusebox sit (www.fusebox.org) or in Allaire's
> Dev
> > >> Exchange
> > >>
> >
>
>(http://devex.allaire.com/developer/gallery/info.cfm?ID=CA3477C0-2830-11D4-
> A
> > >A9700508B94F380&method=Full
> > >> ) <--watch the word-wrapping
> > >
> > >Fusebox - that name continues to crop up! I'll take a look.
> > >
> > >Thanks,
> > >
> > >Will
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Structure your ColdFusion code with Fusebox. Get the official book at
> http://www.fusionauthority.com/bkinfo.cfm
> >
> > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> >
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Structure your ColdFusion code with Fusebox. Get the official book at
> http://www.fusionauthority.com/bkinfo.cfm
>
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
>
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
