One example I have worked is I cached the logging user's credentials in a structure in a session and before performing any important action, I checked for the right permission privilege in that user object before allowing delete/add/update or whatever.
Nick Han
>>> [EMAIL PROTECTED] 02/27/04 02:50PM >>>
> Lets see how well this one holds up:
>
> I put this on my form display page:
> <cfset variables.myUUID=CreateUUID()>
> <cfset client.OriginalFormStamp=variables.myUUID>
>
> and this:
>
> <input
> type="hidden"
> name="FormUID"
> value="#Hash(variables.FormUID)#">
>
> Note the value in the hidden-in-plain-sight form field is hashed.
>
> Then, on the form processor I first run a referrer test. As
> has been stated this has some definite holes in it, but I
> feel obligated to go thru the motion, anyway.
>
> If it gets past the referrer test, I then do this:
>
> <cfif CompareNoCase(form.formUID,Hash(client.OriginalFormStamp))>
> <!--- no match. fall down and go boom ---> </cfif>
>
> So unless there is a hole here that I've missed, the form ID
> can be faked, but should not be able to get past the
> validation check on the other side; assuming I haven't done
> something loony like store my client vars in cookies.
What's to stop me from using CFHTTP to request the form, find out the
CFID/CFTOKEN values for the Client variables, then use CFHTTP to post data
to the action page along with the matching CFID/CFTOKEN?
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
