Ahh, I can't see..., blinding raw HTML codes.... must put
on kryponite anti-html glasses...
At 17:11 10/9/00 -0400, you wrote:
><html>
><br>
>By "faking" them, do you mean using them, or viewing
>them?<br>
><br>
><b>Using Client (or Session) variables (ie, Session stealing)<br>
><br>
></b>If I come into a CF site with another user's CFID and CFToken, then I
>will be using their client variables (or session variables, if I have
>those turned on). This does not mean I can "see" them, or
>know their values. But I can "pretend" I am another user,
>for as long as that session is active or authorized. Generally, the
>other user must have recently logged on, and the hacker is just
>continuing the session. This is a universal web problem, and is not
>limited to ColdFusion. The main way around this is to use HTTPS
>(Secure HTTP), which prevents most "session ID" stealing, since
>even cookies are transported behind the encrypted algorithm. <br>
><br>
>There are reams of information in this area, which I am not even prepared
>to speak on....<br>
><br>
><b>Viewing and Changing Client Variables:<br>
><br>
></b>A hacker would have to upload and run their own CF code, see
>revealing error messages (or cause them to happen), or run various other
>"inside" hacking tricks before he knew or could change the
>value of any client variables. This is much harder to do, but once
>done, can be much more damaging.<br>
><br>
>There are reams of information in this area, which I am not even prepared
>to speak on....<br>
><br>
><b>Client Variables in a Database:<br>
><br>
></b>If you store them in your DB, then they are only as secure as your DB
>is. How secure is your DB?<br>
><br>
>At 06:46 PM 10/6/00 -0400, Josh wrote:<br>
><blockquote type=cite cite>Does anyone know offhand how secure client
>variables are? I'm assuming that as long as CF is set to store them in
>the registry or a database, they are basically secure from faking.<br>
>Can anyone think of a scenario where a web user could fake some client
>variables other than CFID and CFTOKEN(and of course, how the rascals
>would do so), to obtain access to something<br>
>secured with client vars?<br>
><br>
>Josh Diehl<br>
><br>
>------------------------------------------------------------------------------<br>
>To Unsubscribe visit
><a href="http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox"
>eudora="autourl">http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox</a>
>or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the
>body. </blockquote><br>
>
><br>
><font color="#008080">====================================================<br>
><b>Douglas M. Smith - Database Architect/Web Integration Specialist<br>
></b>====================================================<br>
></font><font face="Comic Sans MS" size=4 color="#FF0000">TeraTech Inc - Tools for
>Programmers(tm)<br>
></font><font face="Comic Sans MS"><b>VisualBasic, Web (ColdFusion and ASP), Math and
>Statistics, <br>
>Access, SQL, programming tools & consulting<br>
></font><font color="#008080"><i>100 Park Ave, Suite 360, Rockville MD 20850 USA <br>
></i></b>Voice: 301-424-3903, Fax: 301-762-8185 <br>
><a href="http://www.teratech.com/" eudora="autourl">http://www.teratech.com</a><br>
>====================================================<br>
>Email: <b>[EMAIL PROTECTED]<br>
></b>Mobil/Cell Phone: (240) 601-5520<br>
>ICQ: 41044319<br>
>====================================================<br>
>Do you need a group calendar or scheduler?<br>
>How about a <b>free</b> ColdFusion Tag and Function Reference?<br>
>Go to <a href="http://www.teratech.com/freestuff.cfm"
>eudora="autourl">http://www.teratech.com/</a><a
>href="http://www.teratech.com/freestuff.cfm" eudora="autourl"><b>freestuff.cfm</a><br>
></b>====================================================<br>
></font></html>
>
>------------------------------------------------------------------------------
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
>
>
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
