plain text on the user's computer, and may even be sent to the server over
plain HTTP if they weren't specifically set with the secure option.
However, if you're using a new UUID for each time the form is generated,
then the odds of this hole being exploited is acceptably small, at least to
me.
What are the odds that you'll generate a form, and before the person submits
it or a timeout happens some malicious user is going to get both the HTML of
the form sent to the user (for the hidden form field) AND their cookie
values? About the only chance you've got is packet sniffing, which HTTPS
will take care of, and killing the user at their terminal and taking over,
which there is no way to prevent.
You can also consider mixing other data in the hash, such as the visitor's
user agent, or even their IP (though that can get you in trouble if a
network has multiple outbound routers).
Cheers,
barneyb
> -----Original Message-----
> From: Andrew Grosset [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, May 11, 2004 8:10 PM
> To: CF-Talk
> Subject: Re: http_referer
>
> Thanks Matt for the comprehensive reply. I kind of thought
> that there was a flaw in setting a persistant uuid because
> cookies can be hijacked etc. On a related note I wonder if
> using a secure site (https://) can stop cookie hijacking - I
> have a feeling it can't ?
>
> Andrew.
>
>
> >I used to create a uuid, store it in a persistent scope, hash it, put
> >that in the hidden form field and then do a comparison on
> the form post
> >side. I thought this would stop scrapers as they couldn't
> know the hash
> >source.
> >
> >I threw this out here in another thread and asked if it had
> holes. Dave
> >Watts pointed out that anyone can visit the form page and take the
> >hidden field and the key pair cookie values. Once they have
> those and
> >can fake headers they can blow right past pretty much
> anything but the
> >gif-code thingie, but even that just requires a human to submit.
> >
> >I'd recommend doing all of the tests you can think of. Referrers,
> >request method, hidden fields, input scrubbing, cfqueryparam
> etc. But I
> >don't think the solution can be made truly ironclad.
> >
> >--------------------------------------------
> > Matt Robertson [EMAIL PROTECTED]
> > MSB Designs, Inc. http://mysecretbase.com
> >
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
