RE: security issues
Speakiung of snippets I just got a new machine and I lost all of my snippets along the way... (it dept took old machine before I had a chance to get them) Anyone know where I can find some on the web to replensih my gallery? -Original Message- From: Tony Carcieri [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 12:46 PM To: CF-Talk Subject: security issues Hi all, Sorry for the cross post but last week there was a discussion about the old hacks of cfsnippets or cfdocs or something. I don't remember exactly and don't remember which forum it was on. Could you please email me off list and refresh my memory of what they were and if it is possible that these hacks could bring down a site? We are getting some SERIOUS hits and the cfserver crashes. It ends up queueing so much that it just quits. Thanks very much for the speedy reply! Tony [EMAIL PROTECTED] __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Security issues
I do it like this: When the user logs in, the user's userid and access level are stored in session variables. Then on the page I check for the various access levels that are allowed on the page by putting them in a list: cfif IsDefined("Session.userid") cfset groupsAllowed ="admin,level1,level3" cfif not (Listfind(groupsAllowed,Session.accessgroup)) cflocation url="noaccessallowed.cfm" /cfif cfelse cflocation url="failedlogin.html" /cfif tom www.basic-ultradev.com - Original Message - From: "Chris Lott" [EMAIL PROTECTED] To: "CF-Talk" [EMAIL PROTECTED]Sent: Saturday, October 07, 2000 10:59 AM Subject: Security issues -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I understand how to handle login security in an application... but do any of you have tips on handling variable levels of security? Up until now I have always had my normal app for users and then a subsection of that app (say /admin/) where admins would go to do their thing. It seems inefficient, but also almost inescapable without turning my neat code into spaghetti as I am variably displaying/including based on whether they have admin privileges or not. I can't imagine what it will be like with three or more levels of user to account for! I've seen many discussions on cf lists about how to define different levels of user and what their privileges are, but not much on what to do with those definitions in the app. Every way I can conceive seems much painful than it should be. Or is that just the way it is? c -BEGIN PGP SIGNATURE- Version: PGP 6.5.8ckt - http://irfaiad.virtualave.net/ Comment: PGP Signed for message verification and/or encryption Comment: KeyID: 0xD68B61E851046CFD iQA/AwUBOd86N9aLYehRBGz9EQIBZACghjGOJ8H88d7bCm8Jza5BgtTXeLAAmgPj 2EXL6YNuzCcbRypj+9lH69an =Wug1 -END PGP SIGNATURE- -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I do it like this... Thanks... I was thinking more along the lines of what happens on the pages themselves. For instance, let's say I have an application that lists jobs waiting to be done. Normal users can list the jobs and edit/delete their own, while admin users can edit/delete anyone's. Would you optionally include a delete link if the current user is an admin on that page? Or would the admin user be sent to a different job listing page altogether? Of course this is simplistic... when you have three or many levels of access and a number of functions specific to various groups all on the same page, the amount of conditional processing can become pretty large. But if I split the application out so that admins go to an admin job listing, job editors go to an editor listing and users go to their own listing, I have an enormous amount of code duplication to contain... c -BEGIN PGP SIGNATURE- Version: PGP 6.5.8ckt - http://irfaiad.virtualave.net/ Comment: PGP Signed for message verification and/or encryption Comment: KeyID: 0xD68B61E851046CFD iQA/AwUBOd9WMNaLYehRBGz9EQJ7vwCggywMzwiCYVW6dAAg2wifaZTP35IAoNRI 14JAvySx23/11LFdT7HimHhC =rG1d -END PGP SIGNATURE- -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Security issues
I like to separate the adminstrator pages completely. For one thing, there's usually a lot more functionality on them. Also, they don't have to be cluttered with the extra baggage of an end-user page (links, ads, graphics, etc) I suppose you could implement the same logic for individual parts of a page, though. Something along these lines: cfif (Listfind(groupsAllowed,Session.accessgroup)) cfoutput#myquery.deletelink#/cfoutput /cfif tom www.basic-ultradev.com - Original Message - From: "Chris Lott" [EMAIL PROTECTED] To: "CF-Talk" [EMAIL PROTECTED] Sent: Saturday, October 07, 2000 12:58 PM Subject: Re: Security issues -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I do it like this... Thanks... I was thinking more along the lines of what happens on the pages themselves. For instance, let's say I have an application that lists jobs waiting to be done. Normal users can list the jobs and edit/delete their own, while admin users can edit/delete anyone's. Would you optionally include a delete link if the current user is an admin on that page? Or would the admin user be sent to a different job listing page altogether? Of course this is simplistic... when you have three or many levels of access and a number of functions specific to various groups all on the same page, the amount of conditional processing can become pretty large. But if I split the application out so that admins go to an admin job listing, job editors go to an editor listing and users go to their own listing, I have an enormous amount of code duplication to contain... -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security issues
Check to see if your cookie exists when they go to your registration page... Hello, We have rolled out a new promotion on the site, where it lets user to go through the shopping cart process and "buy" 5 downloadable items without paying for them. Is there a more or less bullet proof way of ensuring that a user doesn't re-register on the site and get more freebies? Our solution is cookie/database based, but it won't help if a user re-registers. Thanks. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.