WHAT!!!! You store a userId in a cookie and trust it???? Are you mad??? Numbers are as inherently secure as UUIDs - they're both simply identifiers. Authentication and authorization are where security happens. If an application is susceptible to spin attacks like that, I suppose that a UUID might assist to some degree, but much better to just prevent the spin attack.
cheers, barneyb On Tue, Oct 28, 2008 at 12:30 PM, Phillip M. Vector <[EMAIL PROTECTED]> wrote: > Oh.. I have that as well. But take for example the UserID that I store > as a cookie to someone else based on the UserID field. > > It's easy to change a cookie to a 1 and hope to get admin access. > > It's harder to figure out someone elses ID. :) > > and yeah, I can set it to the IP and so on, but honestly, using a UUID > is allot more secure then auto increase. > > Matt Quackenbush wrote: >> On Tue, Oct 28, 2008 at 2:13 PM, Phillip M. Vector wrote: >> >>> The only thing I've noticed in using that is that you can guess the next >>> number. >>> >>> If you have a URL string of id set to 7, I've always tried manually >>> typing in 6 and seeing what happens. Sometimes, 5. :) >>> >>> >> That's what permission checking in your application is for. :-) >> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314463 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
