A Quick Question to Raymond RE: Your PowerPoint presentation...
Raymond, I was reading over your Powerpoint presentation last week (ColdFusionMX Application Security), and I just remembered something I had a quick question about... On the last page of the presentation you have the following: Extra Cookie-less Security Pass encrypted key in URL Like cookie-less session Use session variable Need to pass session.urlToken Need to coordinate session/login timeout. I was just wondering what this was referring to, and if maybe you could expand a little more on it...Specifically the Pass encrypted key in URL part. Also the pass session.urlToken part too...what's the deal with that? ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: A Quick Question to Raymond RE: Your PowerPoint presentation...
I'm trying to remember myself - guess I should learn to use the Notes field a bit more. ;) I believe the idea was to hack your own session.urltoken. Basically, every link would have x=YYY, where Y would be an encrypted form of the username and password. Then you would decrypt the value and relogin using cflogin each hit. Of course, that could be dangerous if someone breaks your encryption. As for the session thing - what you would do is simply store the username and password (and roles) in session values, then use session.urlToken. This would be a bit simpler for sure, although you would want to use the UUID for Session Token setting. Hope that makes sense. === Raymond Camden, ColdFusion Jedi Master for Mindseye, Inc Member of Team Macromedia (http://www.macromedia.com/go/teammacromedia) Email: [EMAIL PROTECTED] Blog : www.camdenfamily.com/morpheus/blog Yahoo IM : morpheus My ally is the Force, and a powerful ally it is. - Yoda -Original Message- From: Jeff [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 10:18 AM To: CF-Talk Subject: A Quick Question to Raymond RE: Your PowerPoint presentation... Raymond, I was reading over your Powerpoint presentation last week (ColdFusionMX Application Security), and I just remembered something I had a quick question about... On the last page of the presentation you have the following: Extra - Cookie-less Security Pass encrypted key in URL Like cookie-less session Use session variable Need to pass session.urlToken Need to coordinate session/login timeout. I was just wondering what this was referring to, and if maybe you could expand a little more on it...Specifically the Pass encrypted key in URL part. Also the pass session.urlToken part too...what's the deal with that? ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: A Quick Question to Raymond RE: Your PowerPoint presentation...
on 3/24/03 1:40 PM, Raymond Camden at [EMAIL PROTECTED] wrote: I'm trying to remember myself - guess I should learn to use the Notes field a bit more. ;) I believe the idea was to hack your own session.urltoken. Basically, every link would have x=YYY, where Y would be an encrypted form of the username and password. Then you would decrypt the value and relogin using cflogin each hit. Of course, that could be dangerous if someone breaks your encryption. As for the session thing - what you would do is simply store the username and password (and roles) in session values, then use session.urlToken. This would be a bit simpler for sure, although you would want to use the UUID for Session Token setting. Hope that makes sense. Yeah, it does. I ran across that bit this weekend and was curious how you tied up the presentation, and if anything you had added there at the end was something worthwhile following up on. It was, and I'm glad you remembered... ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4