You would always hash any information that the user could mess with, no matter what it is. And you should have validation on all of it too. the same as if you had url variables.
Use an uuid for a userid if you are worried about them changing it. 10 bucks says they dont guess anyone right but their own in 10 tries. ;) On 11/28/05, Russ <[EMAIL PROTECTED]> wrote: > Cookies are not very secure now, are they? Lets say I was going to let the > user be logged in, and I wanted that to persist... So I would do.. > > Client.userId=123456 > > Now, the user has no way to change that... Now, lets say I store it in the > cookie... > > <Cfcookie name="userId" value="123456"> > > Now, the user can examine their cookies and know their userid. Worse, they > can change the userid, and be logged in as a different user. > > Russ > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Monday, November 28, 2005 2:04 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > I have never really found a need for client variables. What benefit do they > really offer? The only time I could see using them is when you had > something that you might think about storing in a cookie. I rarely come > across a need like that where I dont really want a cookie, > and if I do I usually just store it in the session. Am I missing > something there? > > On 11/28/05, Russ <[EMAIL PROTECTED]> wrote: > > Are you still running another server on BD? How is BD handling this > issue? > > > > -----Original Message----- > > From: Michael Dinowitz [mailto:[EMAIL PROTECTED] > > Sent: Monday, November 28, 2005 1:38 PM > > To: CF-Talk > > Subject: pseudo-memory leak > > > > I've written up my thoughts on what looks like the problem that the > > House of Fusion server was facing for the last few weeks. It's a > > problem that probably affects others but I'm not going to comment on > > how wide spread it is until the full write-up on Fusion Authority. > > These are just my notes and thoughts. > > http://www.blogoffusion.com/index.cfm/2005/11/28/pseudomemory-leak > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225471 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
