You really shouldn't make a habit out of storing client vars in the registry
either. While it does work, and Cold Fusion DOES NOT crash, it is much
better to store the client vars in a database.
First of all, it is much easier to scale your site when client vars are
stored at a DB level, and secondly, the registry has size limitations that
aren't present when you are dumping vars to a database.
Just make sure that if you change the CFAS admin setting to store variables
in a database that you actually have the database space created first,
otherwise you will be digging around in the registry trying to fix some
heartache.
HTH,
John
----- Original Message -----
From: "AustralianAccommodation.com Pty. Ltd."
<[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, October 27, 2000 12:39 AM
Subject: Re: Security Concerns Question regarding Cfquery reguried username
and password in sql environment
> The following is a reply sent to me by one of the lead cf hosting services
> in usa regarding the use of user name and passwords for sql database
access
> I would appreciate your advice and comments regarding the issue.
>
> "Thank you for your message.
>
> Please try to use the solution you suggested below. As far as I know we
have
> determined that storing client variables in the registry causes ColdFusion
> server to crash every time the registry is purged (which happens every
5-20
> minutes). We had to switch default client variables store to cookies and
> restrict access to the client store in the registry."
>
> The solution that I suggested they refer to is to hard code the username
and
> passwords in each if the cf query tags throughout all the cf pages on my
> site.
>
> My concern is that take the approach of hard coding the database username
> and password leave a huge security loophole in the site and for those
> wanting to leave the way open for them to gain access to the database
itself
> upon viewing the source code of the cf pages
>
> I look forward to your comments and advice re this issue
>
>
>
> ----- Original Message -----
> From: "Dave Watts" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, October 27, 2000 2:29 PM
> Subject: RE: Security Concerns Question regarding Cfquery reguried
username
> and password in sql environment
>
>
> > I never understood this one.
> >
> > Why is:
> >
> > <CFQUERY DATASOURCE = "#Request.MainDSN#"
> >
> > in a template better than
> >
> > <CFQUERY DATASOURCE = "#Request.MainDSN#" UserName =
> > "#Request.User#" Password = "#Request.Pass#"
> >
> > security-wise?
>
> >From a hacker's perspective, it's often pretty easy to read script code.
> It's usually a little harder to read the registry, which is where CF
stores
> datasource usernames and passwords.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
> --------------------------------------------------------------------------
--
> --------------------
> Archives: http://www.mail-archive.com/[email protected]/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send
a
> message with 'unsubscribe' in the body to
[EMAIL PROTECTED]
>
> --------------------------------------------------------------------------
----------------------
> Archives: http://www.mail-archive.com/[email protected]/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send
a message with 'unsubscribe' in the body to
[EMAIL PROTECTED]
>
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
