> I inherited an application and I need to know how to make > this particular piece of code go into an Appication or > Session variable: What this is doing is grabbing the login > name of the user on the machine and then it appends it to a > URL variable. Problem is, I can change the URL variable once > I am logged in and impersonate any user I want, including > user ID's that do not exist. This is NOT the way to go since > we are tracking the user by this URL variable. > > <cfoutput> > <object classid="CLSID:4F021AE3-9E98-11D0-A808-00C04FDCD94A" > id="NWDir1" > width=32 > height=32 > name="Login" > Action="Create"> > </object> > > <script language="VBScript"> > Dim vbuser > Sub Window_OnLoad() > On Error Resume next > vbuser = NWDir1.LoginName > vbuser = StrReverse(vbuser) > initInd = InStr(vbuser, Chr(92)) > if initInd <> 0 Then > vbuser = Left(vbuser, initInd-1) > vbuser = StrReverse(vbuser) > End if > // REDIRECTION beware > document.location.href = "DONE.cfm?docookietest=" + vbuser > Exit sub > End Sub > </script> > > <cfabort> > > </cfoutput>
I'm not sure exactly what you're asking for here, so correct me if I'm wrong. You have some sort of ActiveX control (presumably a Netware client control) here, and you're using that to send information back in a URL. Within the script at that URL, you could then write the URL parameter into a Session variable, but you don't want the user to see the URL parameter, because the user could then write whatever they wanted and get that into the Session variable instead. Unfortunately, within the browser, you only have a few ways to get data back to the server: URL parameters, form fields, cookies, and HTTP request headers. You could have your VBScript write to a form field or to document.cookie, and the user wouldn't be able to obviously see the value: <script language="VBScript"> .... End If document.forms[0].vbuser.value = vbuser document.forms[0].submit -- I'm not sure if this is the appropriate syntax within VBScript, but it should be easy to look up Exit Sub End Sub </script> <form action="done.cfm" method="post"> <input type="hidden" name="vbuser"> </form> However, even with this, the user will be able to manipulate this if they want to log in as a different user. It'll just be a little more work. The real problem is that you're performing authentication on the client, and letting the server trust that this authentication has been done. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:267762 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
