Break out the CFIDE from your server's webroot and create another site for it. Then lock down that site with permissions from the web server to the file system.
Don't store username and password in the CFIDE. Pass it through with your code on each call. You can even go as far as integrate your database server's users/roles directly into your application.
Crap I gotta go to a meeting. There is alot more you can do, hope this spawns some more ideas.
-Adam
> -----Original Message-----
> From: Tangorre, Michael [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 01:28 PM
> To: 'CF-Talk'
> Subject: Securing CF Apps.
>
> What kind of defenses are people putting in to prevent cookie poisoning,
> session hijacking, parameter tampering, etc...?
> Does everyone keep this stuff in mind while coding? To be honest, my past
> code has been lax when it comes to making sure all the holes are "plugged",
> and even now, some automated testing tools we have are finding
> vulnerabilities!
>
> The checks I have been putting in place and the encrypting of parameters and
> such are definitely adding time to development, but at the same time, the
> quality of the application is much much better....
>
> what does everyone else do to prevent malicious users?
>
> Mike
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
