Well, I set the cookie every page load, but you are saying.. If the cookie doesn't match up with what the last "Counter" I used (I.e. if the cookie shows a counterID of 5 and it should be a 6), then redirect to the login. Right?
If that's correct, once they stop using the page, what's to prevent someone from grabbing the last cookie and using it? Also, I can't see how it makes it easy to handle multiple tabs to the site feasible. If I'm mistaken in understand what you are suggesting, please explain. I'm honestly curious how I can do this any better then I am already. Barney Boisvert wrote: > The simplest mechanism is to only allow a cookie to be used once, and > then reset it each request. You get the cookie, ensure it's valid, > ensure the id hasn't been used before, create a new cookie, set it, > and then process the request. If the cookie isn't valid or the id has > been used, you clear the cookie and redirect to the login form. You > can do the same thing but only check the cookie if the CF session > isn't already considered authenticated. That'll reduce the amount of > checking you have to do, but significantly reduces the security. > > And unless you're on SSL it's easy to grab cookies without machine > access. Even with SSL it can still be done in some cases. > > cheers, > barneyb > > On Tue, Oct 28, 2008 at 12:56 PM, Phillip M. Vector > <[EMAIL PROTECTED]> wrote: >> If you managed to copy a cookie to your machine, then either 1 of 2 >> things happened. >> >> 1) I gave you permission to do so and therefore, I understand the >> concept that I'm giving you my ID on the site basically. >> 2) You took it without me knowing. This would involve you accessing my >> computer in some way and if I don't know you well enough to trust you, >> then you aren't going to access my machine. Anyway, you can just log >> into the site from my machine anyway. :) >> >> I should also point out that there is a "Logout" function that removes >> the cookie. So people who are security conscious can log out if needed. >> >> Either way, how do you suggest I "authenticate" a person with the cookie >> to make sure it's really the proper user without having the user >> re-login to the site? I suppose I can have them relog in if their IP >> changes, but IP's can be faked as well. >> >> Judah McAuley wrote: >>> What if I copied your cookie to my machine? I go to your site, it >>> checks to see if I have a cookie, I do, so it grabs the encrypted UUID >>> value in that cookie, checks it against your db, matches your record, >>> then logs me in as you. >>> >>> I don't have to know the value of the UUID. It doesn't matter that it >>> is encrypted. I only have to have the same value that you do. >>> >>> Judah >>> >>> On Tue, Oct 28, 2008 at 12:46 PM, Phillip M. Vector >>> <[EMAIL PROTECTED]> wrote: >>>> Perhaps you weren't reading it clearly. Allow me to explain. >>>> >>>> I give the UserID (in UUID form and encrypted) out when someone hits my >>>> site. >>>> >>>> When a user has it, I load up that profile and they "log in" to the site. >>>> >>>> If a user doesn't have it, they need to log in with a username and >>>> password. >>>> >>>> I fail to see why this is insecure. How do you suggest that I >>>> authenticate that it's the correct person without any user input and >>>> allowing them to log into the site from more then one computer/ip? >>>> >>>> and I'm not falimiar with a spin attack. What is that? >>>> >>>> Barney Boisvert wrote: >>>>> WHAT!!!! You store a userId in a cookie and trust it???? Are you >>>>> mad??? Numbers are as inherently secure as UUIDs - they're both >>>>> simply identifiers. Authentication and authorization are where >>>>> security happens. If an application is susceptible to spin attacks >>>>> like that, I suppose that a UUID might assist to some degree, but much >>>>> better to just prevent the spin attack. >>>>> >>>>> cheers, >>>>> barneyb >>>>> >>>>> On Tue, Oct 28, 2008 at 12:30 PM, Phillip M. Vector >>>>> <[EMAIL PROTECTED]> wrote: >>>>>> Oh.. I have that as well. But take for example the UserID that I store >>>>>> as a cookie to someone else based on the UserID field. >>>>>> >>>>>> It's easy to change a cookie to a 1 and hope to get admin access. >>>>>> >>>>>> It's harder to figure out someone elses ID. :) >>>>>> >>>>>> and yeah, I can set it to the IP and so on, but honestly, using a UUID >>>>>> is allot more secure then auto increase. >>>>>> >>>>>> Matt Quackenbush wrote: >>>>>>> On Tue, Oct 28, 2008 at 2:13 PM, Phillip M. Vector wrote: >>>>>>> >>>>>>>> The only thing I've noticed in using that is that you can guess the >>>>>>>> next >>>>>>>> number. >>>>>>>> >>>>>>>> If you have a URL string of id set to 7, I've always tried manually >>>>>>>> typing in 6 and seeing what happens. Sometimes, 5. :) >>>>>>>> >>>>>>>> >>>>>>> That's what permission checking in your application is for. :-) >>>>>>> >>>>>>> >>>>>>> >>> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314494 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
