a page displays user specific medical record data and take URL param containing user_ID
don't encrypt user_ID in URL
-any shmuck can alter the value of user_ID to see anyone's data
do encrypt user_ID in URL
-same shmuck would not be able to make such a chnage as the user_ID would not decrypt properly and the query would fail
I'd say encrypting vars in the URL is pretty dang important ;-)
That said it's also a good idea to make sure the record being displayed belongs to the logged in user ;-)
Cheers
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: Adrocknaphobia
To: CF-Talk
Sent: Tuesday, March 23, 2004 12:47 PM
Subject: Re: Securing CF Apps.
Little is better than none.
-adam
> -----Original Message-----
> From: Kwang Suh [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 08:42 PM
> To: 'CF-Talk'
> Subject: RE: Securing CF Apps.
>
> Munging URLs provides a little, if any, benefit for web apps.
>
> ----- Original Message -----
> From: "Heald, Tim" <[EMAIL PROTECTED]>
> Date: Tuesday, March 23, 2004 1:34 pm
> Subject: RE: Securing CF Apps.
>
> > Good post man, and your right, for the most part the applications
> > I am
> > talking about are not available over the internet, or only through
> > VPN or
> > other methods.
> >
> > Like I said earlier, for public sites you are going to use very
> > differentresources than you will use on a closed/classified
> > application.
> > However the topic was securing CF apps. Not sites :) it can be
> > difficultfor some to differentiate between an application and a site.
> >
> > --
> > Timothy Heald
> > Web Portfolio Manager
> > Overseas Security Advisory Council
> > U.S. Department of State
> > 571.345.2319
> >
> > The opinions expressed here do not necessarily reflect those of
> > the U.S.
> > Department of State or any affiliated organization(s). Nor have these
> > opinions been approved or sanctioned by these organizations. This
> > e-mail is
> > unclassified based on the definitions in E.O. 12958.
> >
> > -----Original Message-----
> > From: Ian Skinner [EMAIL PROTECTED]
> > Sent: Tuesday, March 23, 2004 3:19 PM
> > To: CF-Talk
> > Subject: RE: Securing CF Apps.
> >
> >
> > I see this as a sliding scale, security vs user experience.
> >
> >
> > There's the general public website where the the owners want as much
> > exposure as possible. For this type of application you may not want
> > security to the nth degree. As was just posted, allowing the user to
> > bookmark pages and/or directly type url's is desirable for the
> > purpose of
> > that application.
> >
> >
> > On the other hand, there are applications where this is
> > undesirable. I
> > suspect that applications Tim is writing are even available to the
> > generalpublic at all, and if you are even seeing the page in a
> > browser if you are
> > not supposed to be, you have hacked through several layers of security
> > already.
> >
> >
> > We write applications somewhat in the middle. There are parts of
> > our data
> > that we DO NOT WANT to exposed to any more risk then we can, very
> > sensitiveHIPPA data. We are taking at least a year to thoroughly
> > test our first
> > application that will allow a very limited access to users to
> > their personal
> > data directly through the internet.
> >
> >
> > So it all comes down to the analysis that has been mentioned. You
> > need to
> > decided on the purpose of the application, what are it's security
> > needs and
> > build to that level.
> >
> >
> > My .02, keep the change.
> > --------------
> > Ian Skinner
> > Web Programmer
> > BloodSource
> > www.BloodSource.org
> > Sacramento, CA
> >
> > "C code. C code run. Run code run. Please!"
> > - Cynthia Dunning
> > _____
> >
> >
> >
> >
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
