Obscurity still isn't security though. Better yet, run whatever security checks are necessary when displaying a ticket to verify the person logged in should be able to view it. That really is the only way to be sure sensitive data isn't exposed to others. All someone would need was a copy of the link or a network sniffer to pull out ids of tickets other people were viewing even if they were obfuscated (UUID's).
~Brad -----Original Message----- From: Alan Rother [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 06, 2008 5:44 PM To: CF-Talk Subject: Re: Preventing user from changing ID number in URL This isn't exactly what you were asking about, but if your main concern is someone getting to see the details of a ticket that they shouldn't see, I recommend using an UUID for either the PK or a solid Secondary Key (if you are already using an auto incrementing Int as the primary key). Then pass the UUID through the URL, no one will likely ever find another string that matches your ticket numbers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:304820 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
