>From a security standpoint, CFLOCATION is the same as clicking a link in a broswer (since CFLOCATION actually just send a relcation command to the browser). URL vars from CFLOCATIONs may be found in IIS logs, browser cache files, or observed in transit.
That makes it quite significant in your solution as you described it.. -Cameron On Tue, Jul 29, 2008 at 4:45 PM, Ajas Mohammed <[EMAIL PROTECTED]> wrote: > Thanks for suggestion Cameron. > > Before we get into that, Let me take one step backwards. > > How will someone get my url. Here is the process explained in detial. > > there are 2 parties. one identity provider(Idp) and other service > provider(SP) i.e. me. > identity provider has there own server to authenticate users which we are > not concerned with. After this, IDP user clicks on a link (I am not > concerned with this link)and it brings the user to my verification module > and thats where I plan to use the logic with encryption, that I had emailed > in the first post. > > So, how can someone get my url, if I plan to remove the url vars I had > generated earlier, and url is shown to user as Myhome.cfm instead of it > being appended with variables? > > Any ideas? > > Ajas. > > > On Tue, Jul 29, 2008 at 4:17 PM, Cameron Childress <[EMAIL PROTECTED]> > wrote: >> >> On Tue, Jul 29, 2008 at 4:11 PM, Ajas Mohammed <[EMAIL PROTECTED]> wrote: >> > Shawn/Cameron, yeap thats a big hole and I plan to use timestamp to >> > avoid >> > it, but I dont know right now exactly how that will be done. >> >> Using any predictable or easy to guess information (like a timestamp) >> is not a good security measure in most cases. >> >> > So any suggestions for stopping replay attack. >> >> One time use token >> >> -Cameron >> >> -- >> Cameron Childress >> Sumo Consulting Inc >> http://www.sumoc.com >> --- >> cell: 678.637.5072 >> aim: cameroncf >> email: [EMAIL PROTECTED] >> >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> ------------------------------------------------------------- >> >> >> > > > > -- > <Ajas Mohammed /> > http://ajashadi.blogspot.com > We cannot become what we need to be, remaining what we are. > No matter what, find a way. Because thats what winners do. > You can't improve what you don't measure. > Quality is never an accident; it is always the result of high intention, > sincere effort, intelligent direction and skillful execution; it represents > the wise choice of many alternatives. > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > ------------------------------------------------------------- -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
