You would still use a hashed password that you wouldnt be able to guess, plus you could also seed the userid before the hash. or like I said before, use a uuid for the userid.
You wouldnt be guessing either one. On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > That's really just security by obscurity. If you hash the data, and I know > that you've hashed the data, I can set the data that I want and hash that as > well.. Your program wouldn't really know the difference. > > Lets say you were hashing userID's. I would really just need to know the > valid range of userID's (Lets say 1 to 100000), and then I can hash each one > of those using the same exact hash function you're using (Coldfusion), and > set my own cookie. Then try accessing your site with it. That's a pretty > simple brute force, wouldn't you say? Much easier then trying to guess the > password. > > > > -----Original Message----- > From: Snake [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 4:43 AM > To: CF-Talk > Subject: RE: pseudo-memory leak > > Normally you would HASH the data so it cannot be extracted and used or > changed. > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED] > Sent: 28 November 2005 23:40 > To: CF-Talk > Subject: RE: pseudo-memory leak > > Cookies are not very secure now, are they? Lets say I was going to let the > user be logged in, and I wanted that to persist... So I would do.. > > Client.userId=123456 > > Now, the user has no way to change that... Now, lets say I store it in the > cookie... > > <Cfcookie name="userId" value="123456"> > > Now, the user can examine their cookies and know their userid. Worse, they > can change the userid, and be logged in as a different user. > > Russ > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Monday, November 28, 2005 2:04 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > I have never really found a need for client variables. What benefit do they > really offer? The only time I could see using them is when you had > something that you might think about storing in a cookie. I rarely come > across a need like that where I dont really want a cookie, > and if I do I usually just store it in the session. Am I missing > something there? > > On 11/28/05, Russ <[EMAIL PROTECTED]> wrote: > > Are you still running another server on BD? How is BD handling this > issue? > > > > -----Original Message----- > > From: Michael Dinowitz [mailto:[EMAIL PROTECTED] > > Sent: Monday, November 28, 2005 1:38 PM > > To: CF-Talk > > Subject: pseudo-memory leak > > > > I've written up my thoughts on what looks like the problem that the > > House of Fusion server was facing for the last few weeks. It's a > > problem that probably affects others but I'm not going to comment on > > how wide spread it is until the full write-up on Fusion Authority. > > These are just my notes and thoughts. > > http://www.blogoffusion.com/index.cfm/2005/11/28/pseudomemory-leak > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225549 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
