Re: A Quick Question to Raymond RE: Your PowerPoint presentation...

[Jeff]

on 3/24/03 1:40 PM, Raymond Camden at [EMAIL PROTECTED] wrote:

> I'm trying to remember myself - guess I should learn to use the Notes
> field a bit more. ;)
> 
> I believe the idea was to hack your own session.urltoken. Basically,
> every link would have x=YYY, where Y would be an encrypted form of
> the username and password. Then you would decrypt the value and relogin
> using cflogin each hit. Of course, that could be dangerous if someone
> breaks your encryption.
> 
> As for the session thing - what you would do is simply store the
> username and password (and roles) in session values, then use
> session.urlToken. This would be a bit simpler for sure, although you
> would want to use the UUID for Session Token setting.
> 
> Hope that makes sense.

Yeah, it does. I ran across that bit this weekend and was curious how you
tied up the presentation, and if anything you had added there at the end was
something worthwhile following up on. It was, and I'm glad you remembered...

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: A Quick Question to Raymond RE: Your PowerPoint presentation...

[Raymond Camden]

I'm trying to remember myself - guess I should learn to use the Notes
field a bit more. ;)

I believe the idea was to hack your own session.urltoken. Basically,
every link would have x=YYY, where Y would be an encrypted form of
the username and password. Then you would decrypt the value and relogin
using cflogin each hit. Of course, that could be dangerous if someone
breaks your encryption. 

As for the session thing - what you would do is simply store the
username and password (and roles) in session values, then use
session.urlToken. This would be a bit simpler for sure, although you
would want to use the UUID for Session Token setting.

Hope that makes sense.

===
Raymond Camden, ColdFusion Jedi Master for Mindseye, Inc
Member of Team Macromedia (http://www.macromedia.com/go/teammacromedia)

Email: [EMAIL PROTECTED]
Blog : www.camdenfamily.com/morpheus/blog
Yahoo IM : morpheus

"My ally is the Force, and a powerful ally it is." - Yoda 

> -Original Message-
> From: Jeff [mailto:[EMAIL PROTECTED] 
> Sent: Monday, March 24, 2003 10:18 AM
> To: CF-Talk
> Subject: A Quick Question to Raymond RE: Your PowerPoint 
> presentation...
> 
> 
> Raymond,
> 
> I was reading over your Powerpoint presentation last week 
> (ColdFusionMX Application Security), and I just remembered 
> something I had a quick question about...
> 
> On the last page of the presentation you have the following:
> 
> Extra - Cookie-less Security
> 
> Pass encrypted key in URL
> Like cookie-less session
> Use session variable
> Need to pass session.urlToken
> Need to coordinate session/login timeout.
> 
> I was just wondering what this was referring to, and if maybe 
> you could expand a little more on it...Specifically the "Pass 
> encrypted key in URL" part. Also the pass session.urlToken 
> part too...what's the deal with that?
> 
> 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4