> > So if I think this out logically, the ONLY way to ensure
> > absolute security is if the user has their cookies turned on.
>
> Well... That's not 100% secure either. It *is* possible for a
> malicious user to share his cookies with others. A malicious user
> could ALSO manually add ?CFID=
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> So if I think this out logically, the ONLY way to ensure
> absolute security is if the user has their cookies turned on.
Well... That's not 100% secure either. It *is* possible for a
malicious user to share his cookies with others. A malicious
See CFWACK3 p 656 for Forta's way to do this.
best, paul
At 05:29 PM 9/20/00 -0700, you wrote:
>I guess you could do a cookie check to find out whether their cookies are
>enabled, and if not, direct them to a set of "less secure" templates that
>do the variable passing through URLs and Form v
eers.com
ICQ: 346566
--
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 20, 2000 4:42 PM
> To: CF-Talk
> Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
> > But as
0, 2000 4:13 PM
> To: CF-Talk
> Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
> Session variables are nice, just remember that once you go to multiple
> servers to scale, you may have issues unless you use "stick
> servers/sessions&quo
http://www.warrick.net
>Business Email: [EMAIL PROTECTED]
>Business URL: http://www.fusioneers.com
>ICQ: 346566
>--
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 20, 2000 3:43 PM
>
> But as someone else on the list pointed out, I think I may have
> mistated that session variables require cookies. That person
> (forgot the name) said that session variables are stored in the
> server's RAM anyway, so it shouldn't matter if they have their
> cookies turned on or not.
Regardle
rk Warrick [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 20, 2000 3:06 PM
To: [EMAIL PROTECTED]
Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
Just to reiterate - you should never pass variables that identify a certain
user through forms or URLs. If you do, you leave y
:[EMAIL PROTECTED]]
> Sent: Wednesday, September 20, 2000 3:43 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
> > Just to reiterate - you should never pass variables that identify
> > a certain user through forms or URLs.
> Just to reiterate - you should never pass variables that identify
> a certain user through forms or URLs. If you do, you leave your
> system open for other people to copy those params and screw with
> other's peoples records.
>
> Use session variables. You can store the session variables in
>
>-Original Message-
>From: Mark Warrick [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 20, 2000 5:06 PM
>To: [EMAIL PROTECTED]
>Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
>Just to reiterate - you should never pass va
eers.com
ICQ: 346566
--
> -Original Message-
> From: Chris Montgomery [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 20, 2000 2:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
>
>
Zach,
Good response, that explains it better than I've seen before. Thanks!
Chris Montgomery [EMAIL PROTECTED]
Web Development & Consulting http://www.astutia.com
Allaire Consulting Partner & NetObjects Reseller
210-490-3249/888-745-7603Fax 210-490-4692
Allaire Software Sa
eers.com
ICQ: 346566
--
> -Original Message-
> From: Chris Montgomery [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 20, 2000 2:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
>
> Thanks for the comeback, Ma
Thanks for the comeback, Mark. My comments are below.
>-Original Message-
>From: Mark Warrick [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 20, 2000 4:20 PM
>To: [EMAIL PROTECTED]
>Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Encryption won't help. The problem isn't the user having the
information that's in the URLToken. It's having users (perhaps
inadvertently) giving that info to someone else in the form of a
link. Encrypting the data doesn't make any difference in tha
Hi Chris,
So long as there is a way to identify the current client as the user of that URLToken,
it shouldn't be a problem. For example, if you were to set a session variable. But
then again, if you're using session variables, you don't need the URLToken. Another
thing you can do is set a c
17 matches
Mail list logo