On Fri, Jun 12, 2009 at 9:59 AM, Dave Watts wrote: >> An example would be for an emailed order confirmation with a link back to >> their order details.(in this case the client does not want someone to fill >> out user details and create an account for their own reasons) By using an >> integer it would be extremely easy for someone to view other order details >> but not so with a uuid. > > That would be a security issue. If a user can see a record they > shouldn't be allowed to see, that by definition is an authorization > failure. Authentication and authorization are the two aspects of user > security.
Not to mention that the UUIDs generated by CF are predictable. Jochem -- Jochem van Dieten http://jochem.vandieten.net/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323440 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
