Well, let me back up a bit. 1) The fact that CFLOGIN uses a cookie and NOT the session scope isn't a bug. It's just wierd. To "tie" it, you have to write custom code. Go to my blog and do a search for cflogin.
2) The security issue with CFLOGIN/Session HAS been posted to Macromedia.... I'm mostly sure about it... but I don't believe a formal bug exists in their system yet. I was working w/ Sarge on that and I'll have to bug him about that. I -can- say his blog does mention the bug in great detail. This is not what he says, but my opinion - do not use CFLOGIN/Session. Period. When it comes to security, you cannot be too anal. If you do use CFLOGIN/Cookie, be sure to remember that it is not tied by default to the session scope. On Tue, 7 Dec 2004 08:46:20 +0100, Hugo Ahlenius <[EMAIL PROTECTED]> wrote: > Ray, > > I was't aware of these problems, can you elaborate a little bit on this? > Just checked on livedocs, and no comments relating to this on the > cflogin page... > <http://livedocs.macromedia.com/coldfusion/6/CFML_Reference/Tags-pt169.h > tm> > > -- > Hugo Ahlenius > > ------------------------------------------------------------- > Hugo Ahlenius E-Mail: [EMAIL PROTECTED] > Project Officer Phone: +46 8 230460 > UNEP GRID-Arendal Fax: +46 8 230441 > Stockholm Office Mobile: +46 733 467111 > WWW: http://www.grida.no > ------------------------------------------------------------- > > |-----Original Message----- > |From: Raymond Camden [mailto:[EMAIL PROTECTED] > |Sent: Monday, December 06, 2004 23:42 > |To: CF-Talk > > > |Subject: Re: CFLOGIN > | > |I'm a bit proponent of CFLOGIN, however it is a bit tricky and > |is, unfortuinately, broken now. I used to recommend it to > |folks, and now I recommend against it. There is a bug (in the > |process of being logged) that involves the session based > |version of CFLOGIN that was introduced in CFMX 6.1. That means > |only the Cookie version is safe. That being said, if you want > |to tie CFLOGIN/Cookie to a session, it IS possible, just not > |super simple. > | > |I _really_ like CFLOGIN, and I hope/assume the Session > |security hole will be fixed in Blackstone. > | > |That probably doesn't help you much. > | > | > |On Mon, 6 Dec 2004 15:01:12 -0700, Paul <[EMAIL PROTECTED]> wrote: > |> I was developing CF apps well before they came up with their CFLOGIN > |> scheme, and I still have yet to take time to investigate it much. > |> > |> Do you all make use of these built in authentication tags? > |Are there > |> shortcomings I should be aware of that negate any gains? I'm > |> intrigued by the ability to control access to CFC functions > |using the > |> ROLES attribute, but wary of trying a new authentication method when > |> I'm comfortable in my ways. > |> > |> TIA > |> > |> > | > | > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Silver Sponsor - RUWebby http://www.ruwebby.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:186441 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
