Perhaps you weren't reading it clearly. Allow me to explain. I give the UserID (in UUID form and encrypted) out when someone hits my site.
When a user has it, I load up that profile and they "log in" to the site. If a user doesn't have it, they need to log in with a username and password. I fail to see why this is insecure. How do you suggest that I authenticate that it's the correct person without any user input and allowing them to log into the site from more then one computer/ip? and I'm not falimiar with a spin attack. What is that? Barney Boisvert wrote: > WHAT!!!! You store a userId in a cookie and trust it???? Are you > mad??? Numbers are as inherently secure as UUIDs - they're both > simply identifiers. Authentication and authorization are where > security happens. If an application is susceptible to spin attacks > like that, I suppose that a UUID might assist to some degree, but much > better to just prevent the spin attack. > > cheers, > barneyb > > On Tue, Oct 28, 2008 at 12:30 PM, Phillip M. Vector > <[EMAIL PROTECTED]> wrote: >> Oh.. I have that as well. But take for example the UserID that I store >> as a cookie to someone else based on the UserID field. >> >> It's easy to change a cookie to a 1 and hope to get admin access. >> >> It's harder to figure out someone elses ID. :) >> >> and yeah, I can set it to the IP and so on, but honestly, using a UUID >> is allot more secure then auto increase. >> >> Matt Quackenbush wrote: >>> On Tue, Oct 28, 2008 at 2:13 PM, Phillip M. Vector wrote: >>> >>>> The only thing I've noticed in using that is that you can guess the next >>>> number. >>>> >>>> If you have a URL string of id set to 7, I've always tried manually >>>> typing in 6 and seeing what happens. Sometimes, 5. :) >>>> >>>> >>> That's what permission checking in your application is for. :-) >>> >>> >>> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
