On 1/24/2011 8:57 AM, Richard White wrote: > Hi, > > When the user logs in, I save their username to the session scope. > > Would i need to re-validate that username at the top of every page that uses > it in a database query? > > I previously thought this was not necessary but if it is possible for someone > to send malicious sql injection then surely it is also possible (even though > very unlikely) for someone to send code that changes the username stored in > the session to some malicious sql injection. > > thanks
Only if there is a place in your code for them to do so. If you have a vulnerable piece of code that can give unexpected and undesired results because of malicious inputs form the client, then you have a problem. But it is not an insecurity in the session variables is is an insecurity in your application and how it is setting those variables. There is no way for a user to send random code at a CF server and have it do anything to session variables unless it is happening somewhere in the CFML codebase. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341133 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
