I don't know how you really "hide" a flash app.
But "anything" that is sent to a client to maintain state with a server
can be spoofed, once you get past any initial login.
The best you can hope for is to make it so difficult that it is not
worth the effort.
HTH
Dick
On Feb 29, 2004, at 6:59 PM, Steve Nelson wrote:client
> >
> >
> > This can't stop anything. Both HTTP_HOST and HTTP_REFERER are set by
> > the
> > browser, and can be changed by anyone writing an HTTP client:
> >
> > <cfhttp ...>
> > <cfhttpparam type="header" name="Host" value="...">
> > <cfhttpparam type="header" name="Referer" value="...">
> > </cfhttp>
> >
>
> How about a hidden flash app that uses the xmlload method to grab the
> http_host/http_referer from the server in a hash format that is then
> passed with all forms/urls? On the next pages, the hash returned by
> flash would be compared with a hash of the
> cgi.http_host/cgi.http_referer returned by CF/web server. While they
> could fake the http_host/http_referer in the web client, it would be
> different from the value returned by flash, so you could reject it.
>
> I don't know enough about flash to know if that's easy to get around.
>
> Steve Nelson
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
