On Tue, Sep 6, 2011 at 9:53 AM, Greg Morphis <[email protected]> wrote:
> All I'm doing with it is encrypting the user's ID so they don't see > "1003" and then try to mess with it and change it to 2003 or 134567.. > all it is is the user's ID encrypted. > If I am understanding what you are doing, I'd be able to change someone else's password if I knew the page to visit. If you give me a public URL to test I can show you how. :) > I just ran 5 iterations of this and not once did it tell me that one > didn't equal the other That may be, but it's not really an accurate representation of what you are doing. If you are sending it via email, I could see it getting double URLencoded perhaps... To simulate your problem, you might try saving the SK as a session var too, then going through the entire email process, clicking the link in the email, and THEN outputting and comparing the session SK with the URL SK values. I am not sure what the difference would be, but doing that would likely expose it to you. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf> | twitter<http://twitter.com/cameronc> | google+ <https://profiles.google.com/u/0/117829379451708140985> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
