Thanks for the comeback, Mark. My comments are below.
>-----Original Message-----
>From: Mark Warrick [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 20, 2000 4:20 PM
>To: [EMAIL PROTECTED]
>Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
>Hi Chris,
>
>So long as there is a way to identify the current client as
>the user of that URLToken, it shouldn't be a problem.
Ok, I do this by setting appropriate session variables once they've
successfully logged in, when necessary.
>For example, if you were to set a session variable. But then
>again, if you're using session variables, you don't need the
>URLToken.
Yes, I'm using SessionManagement and setting session variables, but now
I want to account for instances where users may not be accepting cookies
(which I haven't been doing to this point). Trying to cover all bases,
so I've decided to pass the tokens via URL or Form variables.
>Another thing you can do is set a cookie on the
>client's machine to match the URLToken. It's not 100% secure,
>but it's pretty good.
>
My client doesn't want to use cookies.
>In general, I always use session variables as my primary means
>of making sure that the client "logged in" is the right one.
>
As do I. So, to reiterate, you don't see a problem with passing the
URLtoken "in the clear"?
Thanks again.
>---mark
>
>--------------------------------------------------------------
>Mark Warrick
>Phone: (714) 547-5386
>Efax.com Fax: (801) 730-7289
>Personal Email: [EMAIL PROTECTED]
>Personal URL: http://www.warrick.net
>Business Email: [EMAIL PROTECTED]
>Business URL: http://www.fusioneers.com
>ICQ: 346566
>--------------------------------------------------------------
<snip>
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
