Brad Roberts wrote: > The problem lies in the browser caching the page... anyway to get around > that? > > You really can't rely on http_referrer... Here's what I'm doing (in a > nutshell). > > Caller page: > ----------------- > > <cfset server.id = createUUID()> > <script language="Javascritpt" src="myJavascript.cfm?id=#id#"> > > Javascript page: > ----------------- > > <cfif compareNoCase(url.id, server.id) OR len(url.id) EQ 0> > .. hacker > <cfelse> > <cfset server.id = ""> > </cfif> > > javascript code here.......
If I wanted to make it more difficult (not impossible) for somebody to get to the source of my javascript I would use a combination of mechanisms. First, on the page referring to the javascript set a cookie, then use a <script ...> to link to the javascript. On the server, check both the referrer and the presence of the cookie and make sure the javascript is encrypted with the cookie as the key. From the first page, decrypt the javascript and execute it (you can do eval() on a variable that is just a bunch of javascript, right?). Make sure the last command from the decrypted javascript is to delete the cookie. This bypasses the caching problem, because an encrypted version is cached, and you throw the key away as soon as it is decrypted. But with the right tools to track HTTP headers, this is still easy to bypass. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
