Re:MS Update broke security

Fri, 06 Feb 2004 10:33:50 -0800

Its time to focus on a solution to solve the problem. From a solutions perspective, the best long term solution would be querry off of Active Directory LDAP server and use that to determine users and roles.... however, what I suggest below is more of a short term fix that can be impemented today and buy time for the permanent solution using Active Directory/LDAP.

Step 1: Have the person login in using basic authentication
Step 2: If you are using IIS, two CGI variables will be created:
cgi.auth_user and cgi.auth_password.
Step 3: Create a database table containing the username and password. If there is not a record, run a querry or a stored proceedure to insert the record. If the password has been changed then, use the cgi variable to change the passwrod.
Step 4: Set a session variable noting the person has logged in. If you need the username and password for other applications, then look up the information in the database.

P.S. There was a good reason MS fixed this behavior in their browser. Turns out Phishers and Spammers were using this technique to gather credit card information from unsupecting users ruining their credit ratings!

Reference url: http://news.com.com/2100-7355-5153534.html?tag=cd_top

Jeremy Brodie
Edgewater Technology

web: http://www.edgewater.com
phone:(703) 815-2500
email: [EMAIL PROTECTED]

>For instance:
>
>
>
>Putting the username and password in the URL..... :-)
>
>
>
>Steve
>
>
>
>
>
>-----Original Message-----
>From: Josh Remus [mailto:[EMAIL PROTECTED]
>Sent: Friday, February 06, 2004 10:22 AM
>To: CF-Talk
>Subject: RE: MS Update broke security
>
>
>
>Honestly, none of this has sounded secure at all, actually.
>  -----Original Message-----
>  From: Thomas Chiverton [mailto:[EMAIL PROTECTED]
>  Sent: Friday, February 06, 2004 10:08 AM
>  To: CF-Talk
>  Subject: Re: MS Update broke security
>
>  On Friday 06 Feb 2004 13:59 pm, Robert Everland III wrote:
>  > that's just it I can't use anythign that requires user intervention.
>
>  Then you can't do security.
>
>  --
>  Tom Chiverton
>  Advanced ColdFusion Programmer
>
>  Tel: +44(0)1749 834997
>  email: [EMAIL PROTECTED]
>  BlueFinger Limited
>  Underwood Business Park
>  Wookey Hole Road, WELLS. BA5 1AF
>  Tel: +44 (0)1749 834900
>  Fax: +44 (0)1749 834901
>  web: www.bluefinger.com
>  Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
>  Quay, BRISTOL. BS1 6EG.
>  *** This E-mail contains confidential information for the addressee
>  only. If you are not the intended recipient, please notify us
>  immediately. You should not use, disclose, distribute or copy this
>  communication if received in error. No binding contract will result from
>  this e-mail until such time as a written document is signed on behalf of
>  the company. BlueFinger Limited cannot accept responsibility for the
>  completeness or accuracy of this message as it has been transmitted over
>  public networks.***
>
>  _____  
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]

Reply via email to