I'm with Ray here, glad to see I'm not the only one that thinks like that.
Just because it's unlikely doesn't mean you shouldn't protect yourself against unlikely attacks. It's pretty much impossible to protect a remote method from being called by anyone who wants to call it. If they're trying to call it directly, and they've got a little time on their hands, they can bypass a lot of the suggested methods of protection quite easily. If you've got a CFC method with remote access, and it doesn't require authentication, then you have to ask yourself "What could someone do with this that I might not want them to?" Even if it requires that the user be authenticated, a malicious user could hit your site with a browser, authenticate, then grab the cookie information and write a script to duplicate that cookie information and browser agent and everything, and you'd have ZERO clue he was doing it via cfhttp or perl or whatever. There are all kinds of ways to "take it one step further" of course, but if you're ticketmaster or facebook, then hackers are going to spend time and resources figuring out how to get ahead of you for even a minute. Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336424 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
