This should work... But then lets say that you encrypt your login page using SSL. And the rest of the site is not (as it should be). The password hash gets passed with every request, which makes it very likely that it can be sniffed. Once the hacker has the hash, he can do a brute force attack on it and figure out the user's password. Even worse, he doesn't even need the password, as the hash is enough for him to get into the account.
Now, a hacker being able to sniff someone's session would probably be able to fake the CF session cookies and hijack the session anyway, but at least he wouldn't be able to figure out the password. -----Original Message----- From: Matthew Walker [mailto:[EMAIL PROTECTED] Sent: Monday, November 28, 2005 8:05 PM To: CF-Talk Subject: RE: pseudo-memory leak > why can't a smart user has a userID 123457 using CF and set the cookie? Because you'd hash the password and store that too. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225505 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
