Re: Setting Cookie Secure, Domain, Path
Thanks Pete, this does seem to work by adding it to the application.cfc. However, when i first open the browser and go to the site it shows an error that the session.cfide does not exist. The culprit is in the onSessionStart method as shown below. If I reload the window then its all fine as I suppose at this point the session.cfide has been created. Would you know how to resolve this? cffunction name=onSessionStart cfcookie name=CFID value=#session.cfid# httponly=true secure=yes cfcookie name=CFTOKEN value=#session.cftoken# httponly=true secure=yes /cffunction Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357711 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
creditcard-billing-system
Hi everybody, I inherited the development of a creditcard-billing system based on ColdfFusion (7/8/9). I have to develop some checks as the following: - IP-blocking - cardnumber-check - blocking of failed cc-number-checks - checking credit card limits - checking of a valid transaction gateway ...and so on. I wonder if there are any coldfusion standard-/check-routines available out there which I can use. I haven't checked ColdFusion Exchange yet, which I am going to do as well. Uwe ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357712 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: creditcard-billing-system
All of that is actually handled by the payment gateway fraud protection system. Fpr extra security you cam use something like maxmind Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 20 Feb 2014 13:29, Uwe Degenhardt cf-t...@sdsolutions.de wrote: Hi everybody, I inherited the development of a creditcard-billing system based on ColdfFusion (7/8/9). I have to develop some checks as the following: - IP-blocking - cardnumber-check - blocking of failed cc-number-checks - checking credit card limits - checking of a valid transaction gateway ...and so on. I wonder if there are any coldfusion standard-/check-routines available out there which I can use. I haven't checked ColdFusion Exchange yet, which I am going to do as well. Uwe ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357713 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Setting Cookie Secure, Domain, Path
Hi Richard, do you have Use J2EE session variables checked in the CF administrator? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 5:41 AM, Richard White rich...@re-base.net wrote: Thanks Pete, this does seem to work by adding it to the application.cfc. However, when i first open the browser and go to the site it shows an error that the session.cfide does not exist. The culprit is in the onSessionStart method as shown below. If I reload the window then its all fine as I suppose at this point the session.cfide has been created. Would you know how to resolve this? cffunction name=onSessionStart cfcookie name=CFID value=#session.cfid# httponly=true secure=yes cfcookie name=CFTOKEN value=#session.cftoken# httponly=true secure=yes /cffunction Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357714 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
Hi Nick, It is tricky to handle HTML content while avoiding XSS, there are a two tools I'm aware of that can help you here: 1) scrubHTML() - This is one I built in pure CFML and I think it is pretty easy to build a whitelist of allowed html using it: https://github.com/foundeo/cfml-security it will use your whitelist and only allow HTML tags and attributes that you allow to come out the other end, anything not matching the whitelist is removed. 2) AntiSamy - written in java, widely used, but its policy files can be tricky to work with, example using it with CFML: http://www.petefreitag.com/item/760.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Feb 19, 2014 at 11:08 PM, Nick Gleason n.glea...@citysoft.comwrote: Hi All, I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. Thanks in advance! Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357715 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
Thanks very much Pete. We have implemented Portcullis among other things and that will also block tags like the ones mentioned. I think that may be similar to the ones that you mention. I expect that Fuseguard has something similar. I guess my follow up question may have to be with what kind of policy to create. Blocking those tags 100% of the time feels draconian. Blocking them 0% of the time feels risky. I expect that we need to develop rules for allowing some people (e.g. web master, super user, etc.) to use them while perhaps blocking others. Does anyone on this list have experience with how to make those trade-offs effectively? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357716 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: creditcard-billing-system
There are services like Maxmind that do fraud screening, which could be done before submitting a transaction to a payment gateway. Basically the service returns a fraud potential score, and you can dictate if it is low enough to perform a transaction. There isn't anything baked-into CF to do this. There may be some CF libraries that do a number check to see if the cc number itself is valid, as this is a common algorithm, but more advanced filtering would be through another service. Byron Mann Lead Engineer Architect HostMySite.com On Feb 20, 2014 8:29 AM, Uwe Degenhardt cf-t...@sdsolutions.de wrote: Hi everybody, I inherited the development of a creditcard-billing system based on ColdfFusion (7/8/9). I have to develop some checks as the following: - IP-blocking - cardnumber-check - blocking of failed cc-number-checks - checking credit card limits - checking of a valid transaction gateway ...and so on. I wonder if there are any coldfusion standard-/check-routines available out there which I can use. I haven't checked ColdFusion Exchange yet, which I am going to do as well. Uwe ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357718 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: creditcard-billing-system
There are services like Maxmind that do fraud screening, which could be done before submitting a transaction to a payment gateway. Basically the service returns a fraud potential score, and you can dictate if it is low enough to perform a transaction. There isn't anything baked-into CF to do this. There may be some CF libraries that do a number check to see if the cc number itself is valid, as this is a common algorithm, but more advanced filtering would be through another service. Byron Mann Lead Engineer Architect HostMySite.com On Feb 20, 2014 8:29 AM, Uwe Degenhardt cf-t...@sdsolutions.de wrote: Hi everybody, I inherited the development of a creditcard-billing system based on ColdfFusion (7/8/9). I have to develop some checks as the following: - IP-blocking - cardnumber-check - blocking of failed cc-number-checks - checking credit card limits - checking of a valid transaction gateway ...and so on. I wonder if there are any coldfusion standard-/check-routines available out there which I can use. I haven't checked ColdFusion Exchange yet, which I am going to do as well. Uwe ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357717 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Setting Cookie Secure, Domain, Path
Hi Pete, yes although if i disable this my login stops working and appears the session variables that i use throughout the application cease to function. Thanks, Richard Hi Richard, do you have Use J2EE session variables checked in the CF administrator? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 5:41 AM, Richard White rich...@re-base.net wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357719 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Moving from CF8 tp CF10 - Session Issues
Got a site currently running on CF8 that we're migrating to a completely new server with a fresh CF10 install. There's an informal members only section with user/pass login that we're having trouble with. No code changes - no problems on the CF8 server. But, in various browsers, it seems the logged-in session var isn't holding and the second you log in, it just kicks you back out. CF8 version - all browsers stay logged in with no problems. CF10 version - Chrome kicks you right back out. IE works great (??) So ... pretty simple stuff. If the username/pass matches: cfif qVerify.RecordCount !--- This user has logged in correctly, change the value of the session.allowin value --- cfset session.allowin = True / cfset session.user_id = qVerify.uniqID / /cfif ... and there you go.. Application file settings: cfapplication name=MyMemberSection clientmanagement=yes sessionmanagement=yes setclientcookies=yes setdomaincookies=yes sessiontimeout=#CreateTimeSpan(0,8,00,0)# applicationtimeout=#CreateTimeSpan(0,8,00,0)# clientstorage=cookie So the question is - what's different between CF8 and CF10 that I need to be looking for? I'm not even sure where to start looking at the moment. Ideas? Tearing my hair out so far. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357720 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Moving from CF8 tp CF10 - Session Issues
Try using setdomaincookie=yes only instead of both. I seem to remember something like this going from 8 to 9. Any redirects after the login? Like going from httpîªto https? Or from domain.com to secure.domain.com? Byron Mann Lead Engineer Architect HostMySite.com On Feb 20, 2014 6:04 PM, Les Mizzell lesm...@bellsouth.net wrote: Got a site currently running on CF8 that we're migrating to a completely new server with a fresh CF10 install. There's an informal members only section with user/pass login that we're having trouble with. No code changes - no problems on the CF8 server. But, in various browsers, it seems the logged-in session var isn't holding and the second you log in, it just kicks you back out. CF8 version - all browsers stay logged in with no problems. CF10 version - Chrome kicks you right back out. IE works great (??) So ... pretty simple stuff. If the username/pass matches: cfif qVerify.RecordCount !--- This user has logged in correctly, change the value of the session.allowin value --- cfset session.allowin = True / cfset session.user_id = qVerify.uniqID / /cfif ... and there you go.. Application file settings: cfapplication name=MyMemberSection clientmanagement=yes sessionmanagement=yes setclientcookies=yes setdomaincookies=yes sessiontimeout=#CreateTimeSpan(0,8,00,0)# applicationtimeout=#CreateTimeSpan(0,8,00,0)# clientstorage=cookie So the question is - what's different between CF8 and CF10 that I need to be looking for? I'm not even sure where to start looking at the moment. Ideas? Tearing my hair out so far. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357721 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible to optimise CFHTTP Response Time?
Very good question actually, we recently had networking issues on some of our vps hosts where customers were reporting the same type of issue. Low pings but slow httpîªresponses. Turns out the host nodes had traffic shaping configured which basically maxed at 1 Gb even though the physical network is all 100 Gb. During backups things simply slowed down due to the traffic shaping. Byron Mann Lead Engineer Architect HostMySite.com On Feb 19, 2014 8:45 AM, Mack mrsmith.w...@gmail.com wrote: On Thu, Feb 13, 2014 at 4:57 PM, Craig Brown craigpbr...@gmail.com wrote: I have an API running on my server where I can receive an average ping response to the host server of 1ms yet when I make a CFHTTP request to the host server it takes anywhere from 300-500ms to return a response. Are you by any chance on Amazon AWS ? Or maybe some other virtualized XEN solution ? -- Mack ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357722 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Moving from CF8 tp CF10 - Session Issues
On 2/20/2014 8:22 PM, Byron Mann wrote: Try using setdomaincookie=yes only instead of both. I seem to remember something like this going from 8 to 9. Done - didn't fix it Any redirects after the login? Like going from httpîªto https? Or from domain.com to secure.domain.com? Hmm ... OK, originally I had: cflocation url=idx_nav.cfm addtoken=no / Changed it to: cflocation url=idx_nav.cfm addtoken=yes / NOW it seems to be working. So, what's the diff between CF8 and CF10 where this would be the diff? Thanks in advance... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357723 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
