Gary, your are right. I did a lot of investigation about security today. And I thought like you to limit the number of email per hours . I just discover today the existence of the Sandbox Security Permissions and now I need to re-install ColdFusion MX... I will post my problems in CF-Talk... but it does not really do what I want!
You know I was looking at the CGI variables... a.. REMOTE_HOST The hostname making the request. If the server does not have this information, it should set REMOTE_ADDR and leave this unset. a.. REMOTE_ADDR The IP address of the remote host making the request You know I just want my www.mydomain.com Flash Main Movie calling me (ColdFusion MX)... but I think talking to my Flash MX parttern... the SWF file is loaded into the user PC and when the user clicks on something to call my CFCs.... the REMOTE_HOST will be is PC host name... that's bad... We had an idea my friend and I to make the life harder to hackers... we tought about something that might be good...if the Flash main movie ask at the beginning ColdFusion to give all CFC services that Flash need to do a gatewayConnection.getService... the name of my CFCs can be in a SQL table and can be difficult to know... but we need to test it first if it can be done... so hacker will need to find the real path of my CFCs before they can do anything... is it a hard job for them! I really don't know... Stephane ----- Original Message ----- From: "Gary Menzel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 03, 2003 7:20 PM Subject: Re: [CFCDev] Ensuring CFC calls Given the scenario you have described, there is no real way you can ever know that it is your application calling your web service. One of the major points about web services is that they can be called by anyone. Most sites use an authentication mechanism to know if the person is allowed to access the website methods (not a specific application). You could have a device (separate from CF sessions) that allocated a unique ID for each session - but, given your users all have accounts - as long as they authenticate they will get in. Once you allow someone into your site, there is no real way you can stop them using it. You might want to think about throttling the users (for example: dont allow them to send any more than 5 emails in a one hour period). Gary Menzel Web Development Manager IT Operations Brisbane -+- ABN AMRO Morgans Limited Level 29, 123 Eagle Street BRISBANE QLD 4000 PH: 07 333 44 828 FX: 07 3834 0828 **************************************************************************** If this communication is not intended for you and you are not an authorised recipient of this email you are prohibited by law from dealing with or relying on the email or any file attachments. This prohibition includes reading, printing, copying, re-transmitting, disseminating, storing or in any other way dealing or acting in reliance on the information. If you have received this email in error, we request you contact ABN AMRO Morgans Limited immediately by returning the email to [EMAIL PROTECTED] and destroy the original. We will refund any reasonable costs associated with notifying ABN AMRO Morgans. This email is confidential and may contain privileged client information. ABN AMRO Morgans has taken reasonable steps to ensure the accuracy and integrity of all its communications, including electronic communications, but accepts no liability for materials transmitted. Materials may also be transmitted without the knowledge of ABN AMRO Morgans. ABN AMRO Morgans Limited its directors and employees do not accept liability for the results of any actions taken or not on the basis of the information in this report. ABN AMRO Morgans Limited and its associates hold or may hold securities in the companies/trusts mentioned herein. Any recommendation is made on the basis of our research of the investment and may not suit the specific requirements of clients. Assessments of suitability to an individual's portfolio can only be made after an examination of the particular client's investments, financial circumstances and requirements. **************************************************************************** ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [EMAIL PROTECTED] with the word 'unsubscribe cfcdev' in the message of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by Mindtool, Corporation (www.mindtool.com). ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [EMAIL PROTECTED] with the word 'unsubscribe cfcdev' in the message of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by Mindtool, Corporation (www.mindtool.com).
