Original Message:
===========
Date: Mon, 17 Jul 2000 16:47:57 -0400
From: "Steve Bernard" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: RE: NEED HELP Encrypt Url ?
Message-ID: <[EMAIL PROTECTED]>
Could you share your solution with the class?
Steve
============
Sure, but you'll have to adapt it to your specific circumstances. I
used this custom encryption method when passing around an encrypted
email address in the URL to create a unique identifier for a user. You
could use it to encrypt almost anything, but you probably don't want it
to be terribly long because this method can expand the email address
into a pretty long string already.
<!--- This is the query done when the user logs in --->
<CFQUERY NAME="GetUserInfo" DATASOURCE="#DataDB#">
SELECT DISTINCT
ConstituentID,
Password,
Email
FROM Auth
WHERE ConstituentID = '#FORM.UserName#' AND Password =
'#FORM.Password#'
</CFQUERY>
<!---
Username and Password protection of case-sensitivity:
The Compare function below returns zero when two strings are compared
and they are
case-sensitively identical, so if they're not zero, they're not the
same.
Also the RecordCount must still be greater than zero to allow the
user to log on.
--->
<CFIF ( #GetUserInfo.RecordCount# is 0 )
OR ( #Compare(Username, GetUserInfo.ConstituentID)# IS NOT 0 )
OR ( #Compare(Password, GetUserInfo.Password)# IS NOT 0 )
>
Show error message explaining case-sensitivity of usernames and
passwords
</BODY>
</HTML>
<CFEXIT>
</CFIF>
<!---
Create an encrypted email address to pass around for user
authentication when needed.
NOTE that the ConstituentID (or UserID, whatever) cannot be a 1, but
anything greater than 1 is okay.
The idea is to use the ConstituentID as a kind of 'seed' with which
to encrypt the email address. The
FormatBaseN function translates the ASCII value of each character of
the email address into a number with a
base that is dependent upon the value of the ConstituentID. But
that ConstituentID cannot exceed 26 or the
FormatBaseN function fails, so it has to be translated to some
number less than 26 (in the 'while' loop below by
dividing by 1.3, which could of course be different).
--->
<CFSET aa = GetUserInfo.ConstituentID>
<CFSET code = ''>
<CFLOOP CONDITION="aa GT 26">
<CFSET aa = aa/1.3>
</CFLOOP>
<CFSET aa = Int(aa)>
<!--- Other delimiters could be used too; using several this way makes
the encrypted string baffling to potential hackers --->
<CFSET delims = '|,&,%,^,$,='>
<CFSET delimlistCount = 0>
<CFLOOP INDEX="X" FROM="1" TO="#Len(GetUserInfo.Email)#">
<CFSET delimListCount = delimListCount +1>
<CFSET code = code & ListGetAt(delims, delimListCount) &
"#FormatBaseN(Asc(Mid(Trim(GetUserInfo.Email), X, 1)), aa)#">
<CFIF delimListCount IS 6>
<CFSET delimListCount = 0>
</CFIF>
</CFLOOP>
<P>
<!---
The U variable is set to be a composite of the encrypted email
address and an unencrypted leading number that's the user's
ConstituentID. That way the
ConstituentID can be used at any time to decrypt the email address by
the reverse algorithm, shown below. The first delimiter will always be
a pipe symbol (|),
although the same delimiter can also be used with some others as
shown above in the encrypted email address
--->
<CFSET U = "#GetUserInfo.ConstituentID#|#URLEncodedFormat(code)#">
<!--- DEBUG:
U is <CFOUTPUT>#U#</CFOUTPUT>
STOP
<CFABORT>
--->
<!--- Can use a cookie instead of a URL variable if you want
<CFCOOKIE NAME="U" VALUE=#Variables.U# EXPIRES="1">
This is a trick to redirect the user to the home page after setting a
cookie. If you try
to set the cookie before doing a CFLOCATION (a regular HTTP
redirection), the cookie will
not be set properly. By doing the redirection w/JavaScript we're
accomplishing two things.
First, we're getting the cookie set and the user redirected. Second,
we're verifying that
the user's browser supports JavaScript--which it must for this app to
work properly.
You don't have to use a cookie to use this redirection method, here
is how it's used in a FuseBox-style application:
--->
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide the code from all well-behaved non-JS browsers
<CFOUTPUT>
location = 'Index.cfm?FuseAction=LoginOK&U=#Variables.U#'
</CFOUTPUT>
// Unhide. -->
</SCRIPT>
===========
DECRYPTION:
===========
<!--- Don't let them do anything without a URL.U variable --->
<CFIF NOT IsDefined("URL.U")>
<CFINCLUDE TEMPLATE="Login.cfm">
<CFEXIT>
</CFIF>
<!--- Get the UserID from the U.URL variable --->
<CFSET aa = ListFirst(URL.U, '|')>
<CFLOOP CONDITION="aa GT 26">
<CFSET aa = aa/1.3>
</CFLOOP>
<CFSET aa = Int(aa)>
<CFSET code = ListRest(URL.U, '|')>
<CFSET delims = '|,&,%,^,$,='>
<CFSET delimlistCount = 0>
<CFSET decodedEmail = ''>
<CFSET BadCode = ''>
<CFLOOP INDEX="ii" LIST="#code#" DELIMITERS="#delims#">
<CFSET decodedEmail = decodedEmail & '#Chr(InputBaseN(ii,aa))#'>
</CFLOOP>
<!---
if the encrypted URL has been tampered with, it may decrypt into
some screwy ASCII characters that will cause the CheckAuth query below
to bomb. So replace any such characters with x's before putting it into
the query. Any good email address won't cause problems here.
--->
<CFSET decodedEmail =
'#REReplace("#Trim(decodedEmail)#","[^A-Z,a-z,@,\.,1-9]","x","ALL")#'>
<!--- Could also add email address checking with code like this
<P>
<CFIF NOT REFind(".+@.+\..+","#decodedEmail#")>
<CFSET error = "yes">
ERROR IN EMAIL ADDRESS
</CFIF>
--->
<!--- DEBUG:
<CFSETTING ENABLECFOUTPUTONLY="NO">
<P>
<CFOUTPUT>
U is #URLEncodedFormat(U)#
<P>
decodedEmail is #decodedEmail#
<P>
</CFOUTPUT>
--->
<CFQUERY NAME="CheckAuth" DATASOURCE="#DataDB#">
SELECT AuthID
FROM Auth
WHERE ConstituentID = #ListFirst(U,'|')#
AND Email = '#decodedEmail#'
</CFQUERY>
<!---
If the ConstituentID has been screwed around with in the URL or if
the encrypted email address has been screwed around with, the user will
not be authenticated here and should be sent back to the login screen.
--->
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
