Alright, so you can find out what the hash is, so you have *your* password. Now how are you going to find the user ID of someone else (especially if it is an uuid) and figure out their password? Plus, once again you can seed the hash if you are worried about it.
Sure, you have to think about security a little bit when using cookies, but to me, thats a small price to pay and worth the tradeoff not to use client vars. There just isnt much that I ever want to store in a cookie, the userid and password being one of the few examples. Anything else is just preferences like font size or something silly. But I would much rather think about security and use cookies than client vars. They are just too prone to problems imo. On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > Yea, I mentioned that before in the thread. Theoretically, hashing should > be 1 way (so there is no way to turn the hash back into the value). But you > could run a bruteforce against a hash, and be able to figure out what the > hashed value really is. You can also build a table of all possible hashes, > and then it just becomes a linear search. (I know someone who's got the > complete rainbow tables for windows passwords, and is able to find any > password within a few hours, I believe, if he's got the hash). > > > > -----Original Message----- > From: Kerry [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 1:14 PM > To: CF-Talk > Subject: RE: pseudo-memory leak > > FYI, hashing something doesnt mean that it cant be extracted, why just the > other day my little 2Ghz workstation extracted a 5 character password from a > hash in about 5 minutes... > > -----Original Message----- > From: Snake [mailto:[EMAIL PROTECTED] > Sent: 29 November 2005 09:43 > To: CF-Talk > Subject: RE: pseudo-memory leak > > > Normally you would HASH the data so it cannot be extracted and used or > changed. > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED] > Sent: 28 November 2005 23:40 > To: CF-Talk > Subject: RE: pseudo-memory leak > > Cookies are not very secure now, are they? Lets say I was going to let the > user be logged in, and I wanted that to persist... So I would do.. > > Client.userId=123456 > > Now, the user has no way to change that... Now, lets say I store it in the > cookie... > > <Cfcookie name="userId" value="123456"> > > Now, the user can examine their cookies and know their userid. Worse, they > can change the userid, and be logged in as a different user. > > Russ > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Monday, November 28, 2005 2:04 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > I have never really found a need for client variables. What benefit do they > really offer? The only time I could see using them is when you had > something that you might think about storing in a cookie. I rarely come > across a need like that where I dont really want a cookie, > and if I do I usually just store it in the session. Am I missing > something there? > > On 11/28/05, Russ <[EMAIL PROTECTED]> wrote: > > Are you still running another server on BD? How is BD handling this > issue? > > > > -----Original Message----- > > From: Michael Dinowitz [mailto:[EMAIL PROTECTED] > > Sent: Monday, November 28, 2005 1:38 PM > > To: CF-Talk > > Subject: pseudo-memory leak > > > > I've written up my thoughts on what looks like the problem that the > > House of Fusion server was facing for the last few weeks. It's a > > problem that probably affects others but I'm not going to comment on > > how wide spread it is until the full write-up on Fusion Authority. > > These are just my notes and thoughts. > > http://www.blogoffusion.com/index.cfm/2005/11/28/pseudomemory-leak > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225605 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
