Re: Security Concerns Question regarding Cfquery reguried username and password in sql environment

defective david Tue, 05 Dec 2000 01:02:23 -0800
i already have a large userbase logged in using client vars stored in the
registry.  is there a migration path to storing client vars in a db?

also, what tabe and columsn does CF look for in the datasource?

---
defective david
http://defective.net

----- Original Message -----
From: "John Cummings" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, October 26, 2000 9:50 PM
Subject: Re: Security Concerns Question regarding Cfquery reguried username
and password in sql environment


> You really shouldn't make a habit out of storing client vars in the
registry
> either.  While it does work, and Cold Fusion DOES NOT crash, it is much
> better to store the client vars in a database.
>
> First of all, it is much easier to scale your site when client vars are
> stored at a DB level, and secondly, the registry has size limitations that
> aren't present when you are dumping vars to a database.
>
> Just make sure that if you change the CFAS admin setting to store
variables
> in a database that you actually have the database space created first,
> otherwise you will be digging around in the registry trying to fix some
> heartache.
>
> HTH,
> John
> ----- Original Message -----
> From: "AustralianAccommodation.com Pty. Ltd."
> <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Friday, October 27, 2000 12:39 AM
> Subject: Re: Security Concerns Question regarding Cfquery reguried
username
> and password in sql environment
>
>
> > The following is a reply sent to me by one of the lead cf hosting
services
> > in usa regarding the use of user name and passwords for sql database
> access
> > I would appreciate your advice and comments regarding the issue.
> >
> > "Thank you for your message.
> >
> > Please try to use the solution you suggested below. As far as I know we
> have
> > determined that storing client variables in the registry causes
ColdFusion
> > server to crash every time the registry is purged (which happens every
> 5-20
> > minutes).  We had to switch default client variables store to cookies
and
> > restrict access to the client store in the registry."
> >
> > The solution that I suggested they refer to is to hard code the username
> and
> > passwords in each if the cf query tags throughout all the cf pages on my
> > site.
> >
> > My concern is that take the approach of hard coding the database
username
> > and password leave a huge security loophole in the site and for those
> > wanting to leave the way open for them to gain access to the database
> itself
> > upon viewing the source code of the cf pages
> >
> > I look forward to your comments and advice re this issue
> >
> >
> >
> > ----- Original Message -----
> > From: "Dave Watts" <[EMAIL PROTECTED]>
> > To: "CF-Talk" <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Friday, October 27, 2000 2:29 PM
> > Subject: RE: Security Concerns Question regarding Cfquery reguried
> username
> > and password in sql environment
> >
> >
> > > I never understood this one.
> > >
> > > Why is:
> > >
> > > <CFQUERY DATASOURCE = "#Request.MainDSN#"
> > >
> > > in a template better than
> > >
> > > <CFQUERY DATASOURCE = "#Request.MainDSN#" UserName =
> > > "#Request.User#"  Password = "#Request.Pass#"
> > >
> > > security-wise?
> >
> > >From a hacker's perspective, it's often pretty easy to read script
code.
> > It's usually a little harder to read the registry, which is where CF
> stores
> > datasource usernames and passwords.
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > voice: (202) 797-5496
> > fax: (202) 797-5444
>
> --------------------------------------------------------------------------
> --
> > --------------------
> > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or
send
> a
> > message with 'unsubscribe' in the body to
> [EMAIL PROTECTED]
> >
>
> --------------------------------------------------------------------------
> ----------------------
> > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or
send
> a message with 'unsubscribe' in the body to
> [EMAIL PROTECTED]
> >
>
> --------------------------------------------------------------------------
----------------------
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send
a message with 'unsubscribe' in the body to
[EMAIL PROTECTED]
>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Security Concerns Question regarding Cfquery reguried username and password in sql environment

Reply via email to
