> Not all Users allow cookies. If you turn of "session cookies".. you will be very limited to what you can do on the internet. You wont be able to use Session State Management.
If you are looking for a real high level security. A combination of cookies/IP Addresses/DB Logs and Time interval between tries from the same IP can be good. But often..you will turn away the user.. with very high security levels....Then again.. its the purpose of the application..that makes that decision. Banking ...Yes. u need very high security. Retail eCommerce.. Nah.. Joe On Fri, 13 Dec 2002 10:07:34 -0600 Andy Ousterhout <[EMAIL PROTECTED]> wrote: > Joe, > > Not all Users allow cookies. I have them > turned off on my machine. > However, the real issue is what are your > requirements, which was Jochem's > first question on the prior thread. If you > require users to use cookies and > don't mind if a User keeps trying an unlimited > time, using cookies to track > works fine. The User can try 3 times, delete > your cookie then try again. I > think this was the security issue that was > pointed out earlier. > > Andy > > -----Original Message----- > From: Joe Eugene [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 13, 2002 10:01 AM > To: CF-Talk > Subject: RE: Session Variables (was > Login/Password screen) > > > Why not simply write a cookie out.. if NOT > defined for the application.... > > > For every login attempt, increment cookie > value+1 > if exceeds 3 whatever.. switch app mode to > whatever you want... > > I dont understand.. the use of IP Address or > session variables..or > CFID/CFToken/JSesssionid.. or whatever...u guys > are talking about here.. > > Joe > > On Fri, 13 Dec 2002 09:23:31 -0600 Andy > Ousterhout > wrote: > > > Ok, let me restate to be sure that I > > understand... > > > > The security issue for counting login > attempts > > is that a User can continue > > attempts so long as they remove CFID & Token > > from the URL and turning off / > > deleting cookies. This can be countered by: > > > > 1. Tracking failed logon attempts to IP > > address. These would have to be > > saved in either DB, file, or Application > > Variable, then compared before each > > logon attempt > > > > 2. Once a valid User ID has been entered, > > track unsuccessful attempts, then > > email User if attempts exceed a certain > number. > > You could also lock the > > account and require user to return Email, > click > > on link, or otherwise > > re-activate their account. > > > > 3. What else....... > > > > Andy > > > > -----Original Message----- > > From: Jochem van Dieten > > [mailto:[EMAIL PROTECTED]] > > Sent: Friday, December 13, 2002 8:05 AM > > To: CF-Talk > > Subject: Re: Session Variables (was > > Login/Password screen) > > > > > > Quoting Andy Ousterhout : > > > > > > What do you mean, maintained on the client? > > > > The client has to send the CFID and CFToken. > If > > the client doesn't do > > that, the server will not be able to > associate > > the appropriate session > > variables with the client request. That is > not > > a problem when users are > > logged out when the session fails, but leaves > a > > security risk if the > > client is allowed more when the session is > not > > present. Simply refusing > > the cookies with the CFID and CFToken would > > give me an unlimited number > > of login attempts. > > > > Always design systems with a fail-close > > behaviour. > > > > Jochem > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
