Re: CFID-CFTOKEN Major Issues. HELP!!!!
Please expand on this. I am a newly admin on CF, background is DB, so any suggestions on what I need to do and where those would be applied in the code. If you can provide explicit code for me to totally eliminate the use of Tokens in the URL.. I want to get the cfid/cftoken out my urls and still ahve the site work effectively. What would be my best solution... Asad >Is there a message (comments) in here I am missing?? > >-Original Message- >From: Asad Khan [mailto:[EMAIL PROTECTED] >Sent: Thursday, May 24, 2007 10:26 AM >To: CF-Talk >Subject: Re: CFID-CFTOKEN Major Issues. HELP > > > >>you use cookies instead of URL parameters. Within the CF Administrator, > >>you can specify whether session management is enabled, what the default > >>and maximum timeouts are, and in CFMX, whether you use J2EE or CF >session tokens. >Application.cfm as a relatively easy workaround. > >>Baltimore, Northern Virginia, or on-site at your location. >>Visit http://training.figleaf.com/ for more information! >> >>This email has been processed by SmoothZap - www.smoothwall.net ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279086 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID-CFTOKEN Major Issues. HELP!!!!
Please expand on this. I am a newly admin on CF, background is DB, so any suggestions on what I need to do and where those would be applied in the code. If you can provide explicit code for me to totally eliminate the use of Tokens in the URL.. I want to get the cfid/cftoken out my urls and still ahve the site work effectively. What would be my best solution... Asad >Is there a message (comments) in here I am missing?? > >-Original Message- >From: Asad Khan [mailto:[EMAIL PROTECTED] >Sent: Thursday, May 24, 2007 10:26 AM >To: CF-Talk >Subject: Re: CFID-CFTOKEN Major Issues. HELP > > > >>you use cookies instead of URL parameters. Within the CF Administrator, > >>you can specify whether session management is enabled, what the default > >>and maximum timeouts are, and in CFMX, whether you use J2EE or CF >session tokens. >Application.cfm as a relatively easy workaround. > >>Baltimore, Northern Virginia, or on-site at your location. >>Visit http://training.figleaf.com/ for more information! >> >>This email has been processed by SmoothZap - www.smoothwall.net ~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279084 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID-CFTOKEN Major Issues. HELP!!!!
On Thursday 24 May 2007, Asad Khan wrote: > what will this do by setting url.cfid=client.cfid. If I do this and a url.cfid= *cookie*.cfid would be better. > client still emails the entire link with these id/token in the URL, will I > still have the same issue... No, the ones in the actual URL in the web browser will be over writeen. > maliciously change the id or token value by one digit (i know there are so > many permutations between the 2, but it can be happen. Will this approach > you mentioned eliminate any of those security issues). Unless they are very lucky, they won't have a valid combination and it'll error. > Where do i need to check if cookies have been disabled.. On their web browser :-) Not many people disable them these days. There are detection examples floating around, or you can write a page that uses cfcookie to set one, then forwards to a second page that (trys to) read them back. > eliminate the tokens from the URL string.. Yes. -- Tom Chiverton Helping to interactively market internet initiatives on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279071 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID-CFTOKEN Major Issues. HELP!!!!
Hi Dave: First of all thank you for your suggestions. I ahve couple of questions here. I have one app that is pointing to registry and one pointing to datasource. I know that data source is the correct way of handling. I notice the app where the admin is set to datasource, and when i look in the tables I see no values. Does that mean my app is not storing in DB (nto to sound like adumb question)... Your Answer: >If your application is specifically looking for URL.CFID and URL.CFTOKEN, >you would need to rewrite your code if those variables didn't exist. You >could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal >to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. MY Question what will this do by setting url.cfid=client.cfid. If I do this and a client still emails the entire link with these id/token in the URL, will I still have the same issue... And what happens if a user tries to maliciously change the id or token value by one digit (i know there are so many permutations between the 2, but it can be happen. Will this approach you mentioned eliminate any of those security issues). Your Question == >If you didn't specifically disable cookies, they probably are being set, in >which case you can (usually) disable setting them in the URL. Check to see >if cookies are being set. My Question: = Where do i need to check if cookies have been disabled.. If they were, can I just turn them on and then set the url.addtoken=no. Will this work to eliminate the tokens from the URL string.. Asad >> I am having a huge problem right now, I have an application >> where I am using CFID/Cftoken as part of URL parameter. They >> are currently being maintained in the registry. > >As an aside, you really don't want to store client data in the registry. Use >a database instead. > >> What is the underlying cause of it? > >CFID and CFTOKEN are used to uniquely identify a client. If two clients use >the same values, they will appear to be the same client from your >application's perspective. > >> If I change the session management parameters though the CF >> Administrator to use cookies, is there other major work (code >> re-write) I need to do, since the application has been >> developed using cfids/cftokens in the URL. > >There is no session management parameter in the CF Administrator to let you >use cookies instead of URL parameters. Within the CF Administrator, you can >specify whether session management is enabled, what the default and maximum >timeouts are, and in CFMX, whether you use J2EE or CF session tokens. > >If you're talking about client management, there is an option to use cookies >to store the actual client data. This is somewhat independent of whether you >use cookies or URL parameters as client tokens. > >If your application is specifically looking for URL.CFID and URL.CFTOKEN, >you would need to rewrite your code if those variables didn't exist. You >could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal >to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. > >> OR >> >> Can I set the addtoken=no in the cflocation and prevent the >> tokens from being append to URL.. If yes, are there any >> major repercussions. Will this work. > >If you didn't specifically disable cookies, they probably are being set, in >which case you can (usually) disable setting them in the URL. Check to see >if cookies are being set. > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ > >Fig Leaf Software provides the highest caliber vendor-authorized >instruction at our training centers in Washington DC, Atlanta, >Chicago, Baltimore, Northern Virginia, or on-site at your location. >Visit http://training.figleaf.com/ for more information! > >This email has been processed by SmoothZap - www.smoothwall.net ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279067 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFID-CFTOKEN Major Issues. HELP!!!!
Is there a message (comments) in here I am missing?? -Original Message- From: Asad Khan [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2007 10:26 AM To: CF-Talk Subject: Re: CFID-CFTOKEN Major Issues. HELP >> I am having a huge problem right now, I have an application where I >> am using CFID/Cftoken as part of URL parameter. They are currently >> being maintained in the registry. > >As an aside, you really don't want to store client data in the >registry. Use a database instead. > >> What is the underlying cause of it? > >CFID and CFTOKEN are used to uniquely identify a client. If two clients >use the same values, they will appear to be the same client from your >application's perspective. > >> If I change the session management parameters though the CF >> Administrator to use cookies, is there other major work (code >> re-write) I need to do, since the application has been developed >> using cfids/cftokens in the URL. > >There is no session management parameter in the CF Administrator to let >you use cookies instead of URL parameters. Within the CF Administrator, >you can specify whether session management is enabled, what the default >and maximum timeouts are, and in CFMX, whether you use J2EE or CF session tokens. > >If you're talking about client management, there is an option to use >cookies to store the actual client data. This is somewhat independent >of whether you use cookies or URL parameters as client tokens. > >If your application is specifically looking for URL.CFID and >URL.CFTOKEN, you would need to rewrite your code if those variables >didn't exist. You could probably just set URL.CFID equal to >Client.CFID, and URL.CFTOKEN equal to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. > >> OR >> >> Can I set the addtoken=no in the cflocation and prevent the tokens >> from being append to URL.. If yes, are there any major >> repercussions. Will this work. > >If you didn't specifically disable cookies, they probably are being >set, in which case you can (usually) disable setting them in the URL. >Check to see if cookies are being set. > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ > >Fig Leaf Software provides the highest caliber vendor-authorized >instruction at our training centers in Washington DC, Atlanta, Chicago, >Baltimore, Northern Virginia, or on-site at your location. >Visit http://training.figleaf.com/ for more information! > >This email has been processed by SmoothZap - www.smoothwall.net ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279065 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFID-CFTOKEN Major Issues. HELP!!!!
>> I am having a huge problem right now, I have an application >> where I am using CFID/Cftoken as part of URL parameter. They >> are currently being maintained in the registry. > >As an aside, you really don't want to store client data in the registry. Use >a database instead. > >> What is the underlying cause of it? > >CFID and CFTOKEN are used to uniquely identify a client. If two clients use >the same values, they will appear to be the same client from your >application's perspective. > >> If I change the session management parameters though the CF >> Administrator to use cookies, is there other major work (code >> re-write) I need to do, since the application has been >> developed using cfids/cftokens in the URL. > >There is no session management parameter in the CF Administrator to let you >use cookies instead of URL parameters. Within the CF Administrator, you can >specify whether session management is enabled, what the default and maximum >timeouts are, and in CFMX, whether you use J2EE or CF session tokens. > >If you're talking about client management, there is an option to use cookies >to store the actual client data. This is somewhat independent of whether you >use cookies or URL parameters as client tokens. > >If your application is specifically looking for URL.CFID and URL.CFTOKEN, >you would need to rewrite your code if those variables didn't exist. You >could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal >to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. > >> OR >> >> Can I set the addtoken=no in the cflocation and prevent the >> tokens from being append to URL.. If yes, are there any >> major repercussions. Will this work. > >If you didn't specifically disable cookies, they probably are being set, in >which case you can (usually) disable setting them in the URL. Check to see >if cookies are being set. > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ > >Fig Leaf Software provides the highest caliber vendor-authorized >instruction at our training centers in Washington DC, Atlanta, >Chicago, Baltimore, Northern Virginia, or on-site at your location. >Visit http://training.figleaf.com/ for more information! > >This email has been processed by SmoothZap - www.smoothwall.net ~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279064 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFID-CFTOKEN Major Issues. HELP!!!!
> I am having a huge problem right now, I have an application > where I am using CFID/Cftoken as part of URL parameter. They > are currently being maintained in the registry. As an aside, you really don't want to store client data in the registry. Use a database instead. > What is the underlying cause of it? CFID and CFTOKEN are used to uniquely identify a client. If two clients use the same values, they will appear to be the same client from your application's perspective. > If I change the session management parameters though the CF > Administrator to use cookies, is there other major work (code > re-write) I need to do, since the application has been > developed using cfids/cftokens in the URL. There is no session management parameter in the CF Administrator to let you use cookies instead of URL parameters. Within the CF Administrator, you can specify whether session management is enabled, what the default and maximum timeouts are, and in CFMX, whether you use J2EE or CF session tokens. If you're talking about client management, there is an option to use cookies to store the actual client data. This is somewhat independent of whether you use cookies or URL parameters as client tokens. If your application is specifically looking for URL.CFID and URL.CFTOKEN, you would need to rewrite your code if those variables didn't exist. You could probably just set URL.CFID equal to Client.CFID, and URL.CFTOKEN equal to Client.CFTOKEN, within Application.cfm as a relatively easy workaround. > OR > > Can I set the addtoken=no in the cflocation and prevent the > tokens from being append to URL.. If yes, are there any > major repercussions. Will this work. If you didn't specifically disable cookies, they probably are being set, in which case you can (usually) disable setting them in the URL. Check to see if cookies are being set. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Macromedia ColdFusion MX7 Upgrade to MX7 & experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279034 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFID-CFTOKEN Major Issues. HELP!!!!
How are you handling security now? Session variable? -Original Message- From: Asad Khan [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 23, 2007 8:27 PM To: CF-Talk Subject: CFID-CFTOKEN Major Issues. HELP I am having a huge problem right now, I have an application where I am using CFID/Cftoken as part of URL parameter. They are currently being maintained in the registry. One of my clients emailed the URL (entire URL) to another individual (who does not use this application at all) in totally different location. When that user clicked on the link, he was logged in as the Client and was able to access the entire system. Huge Security Issue here. What is the underlying cause of it? If I change the session management parameters though the CF Administrator to use cookies, is there other major work (code re-write) I need to do, since the application has been developed using cfids/cftokens in the URL. OR Can I set the addtoken=no in the cflocation and prevent the tokens from being append to URL.. If yes, are there any major repercussions. Will this work. Asad ~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279033 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4