> Thanks Jason,
>
> I decided to go for the general solution and used the URLEncodedFormat
> function to allow the encrypted values to be stored in a varchar(64) field
in
> mysql.
>
> Next step is to work out the best way of securing the key value, keeping
it in
> a file doesn't seem like a good idea. Is it possible to get the CF server
to
> prompt for the key value when it starts up? This way the key would only be
> stored in memory while CF was running. This would be similar to the
approach
> used by Apache with encrypted certificates.
I doubt it.
Store it in a file out of the web tree in a directory that only Apache's
user can get to.
(You're running Apache under a unqiue uid right?)
Then chmod 400 the file, and make sure that if you have other users on the
box, you use suExec for their cgi execution so that they can't write a
script that runs under Apache's uid, and can thus read the file. Make sure
you don't let them use cffile to read your key either.
You can read the file each time you need the key, or you might prefer to
store it as a server variable if you're worried about excess disk access.
jason
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-linux%40houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_linux or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
