Thanks Justin.
At 07:41 AM 5/2/2002 -0400, you wrote:
> > >If these groups are related to security for your application, I would
> > >suggest storing them elsewhere,
> >
> > Database?
>
>That is one option, yes. You could also use a session variable, or even a
>client variable (as long as the storage option is not cookie, or it would
>defeat the purpose).
>
> > >or encrypting the text if it MUST be in a
> > >cookie.
> >
> > I do store the groups into a database at initial logon. I just put it into
> > a cookie so they are active until the session closes. I thought it was
> > easier this way. I'm not sure what you mean by encrypting the text...how?
>
>If you keep them in a cookie, you can use the encrypt() function...
>
><cfcookie name="displayGroups" value="#encrypt(list, key)#">
>
>..where "list" is the variable containing your group list, and "key" is
>your encryption key, which must be the same for decryption. You could set a
>master key in a global file, or use a dynamic value like their username or
>password (or both).
>
>To get the value back on subsequent pages...
>
><cfset variables.displayGroups = decrypt(cookie.displayGroups, key)>
>
> > >Cookies are fairly easy to modify on most browsers and someone
> > >could easily put themselves in the "Administrator" group.
> >
> > How would someone go about this?
>
>That depends on the browser. One could monitor the cookies as they are
>being set (all major browsers have this feature) and use the cookie names
>and data to create a more permanent cookie manually. Netscape stores all of
>its non-session cookies in plain text in a single file, and IE stores them
>in their own files in a particular directory (IIRC). It's not hard to
>modify the files to create your own cookies manually. Once the cookie is
>created with a far off expiration date, they can visit your site, which will
>think they're already logged in (they have the proper cookies already).
>
>-Justin Scott, Lead Developer
> Sceiron Internet Services, Inc.
> http://www.sceiron.com
>
>
>
______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
