It does, unless someone decrypts your cookie. Why not simply store both the username and password? THen the only risk is if someone hacks into the users computer, and THEN the only thing loss is ONE account. Currently if I decrypt your cookie I can become any account if I guess the ID.
======================================================================== === Raymond Camden, ColdFusion Jedi Master for Mindseye, Inc (www.mindseye.com) Member of Team Macromedia (http://www.macromedia.com/go/teammacromedia) Email : [EMAIL PROTECTED] Blog : www.camdenfamily.com/morpheus/blog Yahoo IM : morpheus "My ally is the Force, and a powerful ally it is." - Yoda > -----Original Message----- > From: Jeff [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 7:54 AM > To: CF-Talk > Subject: Re: [cflogin] My Symptoms and my application.cfm code... > > > on 7/10/03 9:51 AM, Raymond Camden at [EMAIL PROTECTED] wrote: > > > Not related to your issue, but this: > > > > <cfelseif isDefined("COOKIE.LogInID")> > > <!--- Else the cookie WAS found, so we'll step in here > > and take the cookie's LoginID value to log in ---> > > > > What is to stop me from editing my cookie and setting my ID to be > > someone else? > > Yeah, I see that too. Before the end of the day I was gonna > add a cfencrypt to it. Wouldn't that do the trick? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
