The point is you have to jump through hoops to make cookies secure... Why not just have a best practice not to store stuff in cookies, and to use client variables instead, so that people not well versed in security can build more secure sites then they would otherwise?
-----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:35 AM To: CF-Talk Subject: Re: pseudo-memory leak You would still use a hashed password that you wouldnt be able to guess, plus you could also seed the userid before the hash. or like I said before, use a uuid for the userid. You wouldnt be guessing either one. On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > That's really just security by obscurity. If you hash the data, and I > know that you've hashed the data, I can set the data that I want and > hash that as well.. Your program wouldn't really know the difference. > > Lets say you were hashing userID's. I would really just need to know > the valid range of userID's (Lets say 1 to 100000), and then I can > hash each one of those using the same exact hash function you're using > (Coldfusion), and set my own cookie. Then try accessing your site > with it. That's a pretty simple brute force, wouldn't you say? Much > easier then trying to guess the password. > > > > -----Original Message----- > From: Snake [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 4:43 AM > To: CF-Talk > Subject: RE: pseudo-memory leak > > Normally you would HASH the data so it cannot be extracted and used or > changed. > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED] > Sent: 28 November 2005 23:40 > To: CF-Talk > Subject: RE: pseudo-memory leak > > Cookies are not very secure now, are they? Lets say I was going to > let the user be logged in, and I wanted that to persist... So I would do.. > > Client.userId=123456 > > Now, the user has no way to change that... Now, lets say I store it in > the cookie... > > <Cfcookie name="userId" value="123456"> > > Now, the user can examine their cookies and know their userid. Worse, > they can change the userid, and be logged in as a different user. > > Russ > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Monday, November 28, 2005 2:04 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > I have never really found a need for client variables. What benefit > do they really offer? The only time I could see using them is when > you had something that you might think about storing in a cookie. I > rarely come across a need like that where I dont really want a cookie, > and if I do I usually just store it in the session. Am I missing > something there? > > On 11/28/05, Russ <[EMAIL PROTECTED]> wrote: > > Are you still running another server on BD? How is BD handling this > issue? > > > > -----Original Message----- > > From: Michael Dinowitz [mailto:[EMAIL PROTECTED] > > Sent: Monday, November 28, 2005 1:38 PM > > To: CF-Talk > > Subject: pseudo-memory leak > > > > I've written up my thoughts on what looks like the problem that the > > House of Fusion server was facing for the last few weeks. It's a > > problem that probably affects others but I'm not going to comment on > > how wide spread it is until the full write-up on Fusion Authority. > > These are just my notes and thoughts. > > http://www.blogoffusion.com/index.cfm/2005/11/28/pseudomemory-leak > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225582 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
