RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]

Wed, 20 Sep 2000 14:12:59 -0700 

Hi Chris,

So long as there is a way to identify the current client as the user of that URLToken, 
it shouldn't be a problem.  For example, if you were to set a session variable.  But 
then again, if you're using session variables, you don't need the URLToken.  Another 
thing you can do is set a cookie on the client's machine to match the URLToken.  It's 
not 100% secure, but it's pretty good.

In general, I always use session variables as my primary means of making sure that the 
client "logged in" is the right one.

---mark

--------------------------------------------------------------
Mark Warrick
Phone: (714) 547-5386
Efax.com Fax: (801) 730-7289
Personal Email: [EMAIL PROTECTED]
Personal URL: http://www.warrick.net 
Business Email: [EMAIL PROTECTED]
Business URL: http://www.fusioneers.com
ICQ: 346566
--------------------------------------------------------------


> -----Original Message-----
> From: Chris Montgomery [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 20, 2000 1:55 PM
> To: Cf-Talk
> Subject: Any Security Concerns Here? Passing Token in URL [CF-Talk]
> 
> 
> Howdy,
> 
> When passing a URLtoken (e.g., #session.URLtoken#) in the URL to
> maintain state on public sites, are there any real security concerns?
> I've seen reference to this in a couple of places, but never an explicit
> explanation on what the real security implications might be.  Would
> encrypting the URLtoken be better?
> 
> TIA,
> 
> Chris Montgomery             [EMAIL PROTECTED]
> 
> Web Development & Consulting http://www.astutia.com
> Allaire Consulting Partner & NetObjects Reseller
> 210-490-3249/888-745-7603    Fax 210-490-4692
> Allaire Software Sale!  http://www.astutia.com/store
> Find a Job in San Antonio    http://www.sajobnet.com
> 
> ------------------------------------------------------------------
> ------------
> Archives: http://www.mail-archive.com/[email protected]/
> To Unsubscribe visit 
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf
_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the 
body.

------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebarRsts&bodyRsts/cf_talk or send a message 
to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to