RE: A Quick Question to Raymond RE: Your PowerPoint presentation...

[Raymond Camden]

I'm trying to remember myself - guess I should learn to use the Notes
field a bit more. ;)

I believe the idea was to hack your own session.urltoken. Basically,
every link would have x=YYY, where Y would be an encrypted form of
the username and password. Then you would decrypt the value and relogin
using cflogin each hit. Of course, that could be dangerous if someone
breaks your encryption. 

As for the session thing - what you would do is simply store the
username and password (and roles) in session values, then use
session.urlToken. This would be a bit simpler for sure, although you
would want to use the UUID for Session Token setting.

Hope that makes sense.

===
Raymond Camden, ColdFusion Jedi Master for Mindseye, Inc
Member of Team Macromedia (http://www.macromedia.com/go/teammacromedia)

Email: [EMAIL PROTECTED]
Blog : www.camdenfamily.com/morpheus/blog
Yahoo IM : morpheus

My ally is the Force, and a powerful ally it is. - Yoda 

 -Original Message-
 From: Jeff [mailto:[EMAIL PROTECTED] 
 Sent: Monday, March 24, 2003 10:18 AM
 To: CF-Talk
 Subject: A Quick Question to Raymond RE: Your PowerPoint 
 presentation...
 
 
 Raymond,
 
 I was reading over your Powerpoint presentation last week 
 (ColdFusionMX Application Security), and I just remembered 
 something I had a quick question about...
 
 On the last page of the presentation you have the following:
 
 Extra - Cookie-less Security
 
 Pass encrypted key in URL
 Like cookie-less session
 Use session variable
 Need to pass session.urlToken
 Need to coordinate session/login timeout.
 
 I was just wondering what this was referring to, and if maybe 
 you could expand a little more on it...Specifically the Pass 
 encrypted key in URL part. Also the pass session.urlToken 
 part too...what's the deal with that?
 
 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: A Quick Question to Raymond RE: Your PowerPoint presentation...

[Jeff]

on 3/24/03 1:40 PM, Raymond Camden at [EMAIL PROTECTED] wrote:

 I'm trying to remember myself - guess I should learn to use the Notes
 field a bit more. ;)
 
 I believe the idea was to hack your own session.urltoken. Basically,
 every link would have x=YYY, where Y would be an encrypted form of
 the username and password. Then you would decrypt the value and relogin
 using cflogin each hit. Of course, that could be dangerous if someone
 breaks your encryption.
 
 As for the session thing - what you would do is simply store the
 username and password (and roles) in session values, then use
 session.urlToken. This would be a bit simpler for sure, although you
 would want to use the UUID for Session Token setting.
 
 Hope that makes sense.

Yeah, it does. I ran across that bit this weekend and was curious how you
tied up the presentation, and if anything you had added there at the end was
something worthwhile following up on. It was, and I'm glad you remembered...

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4