> >If these groups are related to security for your application, I would > >suggest storing them elsewhere, > > Database?
That is one option, yes. You could also use a session variable, or even a client variable (as long as the storage option is not cookie, or it would defeat the purpose). > >or encrypting the text if it MUST be in a > >cookie. > > I do store the groups into a database at initial logon. I just put it into > a cookie so they are active until the session closes. I thought it was > easier this way. I'm not sure what you mean by encrypting the text...how? If you keep them in a cookie, you can use the encrypt() function... <cfcookie name="displayGroups" value="#encrypt(list, key)#"> ..where "list" is the variable containing your group list, and "key" is your encryption key, which must be the same for decryption. You could set a master key in a global file, or use a dynamic value like their username or password (or both). To get the value back on subsequent pages... <cfset variables.displayGroups = decrypt(cookie.displayGroups, key)> > >Cookies are fairly easy to modify on most browsers and someone > >could easily put themselves in the "Administrator" group. > > How would someone go about this? That depends on the browser. One could monitor the cookies as they are being set (all major browsers have this feature) and use the cookie names and data to create a more permanent cookie manually. Netscape stores all of its non-session cookies in plain text in a single file, and IE stores them in their own files in a particular directory (IIRC). It's not hard to modify the files to create your own cookies manually. Once the cookie is created with a far off expiration date, they can visit your site, which will think they're already logged in (they have the proper cookies already). -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
