re[2]: [ACFUG Discuss] AJAX security (was: Using components on different websites)

[Mischa Uppelschoten ext 10]

I guess the methods with access="remote" which are session unaware then call the facade CFC which has an access="public" to obtain permission to return the data? The session unaware method would still have to be supplied with some sort of id that makes the requesting user identifieable (client.secretid?). That sounds like quite a bit of work just to avoid reading a session var...? Per http://www.forta.com/blog/index.cfm/2007/11/15/Flex-And-ColdFusion-Session-Variables   "If you create a public facing CFC that exposes methods that allow session data to be directly manipulated, well, you've now allowed public access to session data. Of course, callers will only have access to their own session data, but still, proceed with caution, and make sure you fully understand what you are doing."   In my example, I'm not even modifying my session vars in my cfc, but even if I was, what is the worst that could happen? (I know that's a loaded question ;-) /m     : Typically for this sort of scenario I use a Session Facade.  This is simply a :  CFC that explicitly accesses the Session Scope, but does nothing else.   : Ill see if I can dig up a sample from some of my code... :   : -Cameron : On Wed, Mar 19, 2008 at 4:15 PM, Mischa Uppelschoten ext 10 :  <[EMAIL PROTECTED]> wrote: :  In reading up on the issue Im having, Im finding that some people advocate :  for components only to work on variables that get passed into them, and not :  rely on session or application vars. :   :  Suppose I have a control (cfgrid) that I want to use to display information :  only for the logged in user. It is bound to a function in a cfc. What is the :  best practice for securing this scenario? :  Thanks! :  Mischa. :   :   :   :  ------------------------------------------------------------- :  Annual Sponsor FigLeaf Software - http://www.figleaf.com :   :  To unsubscribe from this list, manage your profile @ :  http://www.acfug.org?falogin.edituserform :   :  For more info, see http://www.acfug.org/mailinglists :  Archive @ http://www.mail-archive.com/discussion%40acfug.org/ :  List hosted by http://www.fusionlink.com :  ------------------------------------------------------------- :   :   :   :   : -- : Cameron Childress : Sumo Consulting Inc : http://www.sumoc.com : --- : cell: 678.637.5072 : aim: cameroncf : email: [EMAIL PROTECTED] : ------------------------------------------------------------- : Annual Sponsor - Figleaf Software :   : To unsubscribe from this list, manage your profile @   : http://www.acfug.org?fa=login.edituserform :   : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink : ------------------------------------------------------------- Mischa Uppelschoten The Banker's Exchange, LLC. 4200 Highlands Parkway SE Suite A Smyrna, GA 30082-5198 Phone:    (404) 605-0100 ext. 10 Fax:    (404) 355-7930 Web:    www.BankersX.com Follow this link for Instant Web Chat: http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN ----------------------- Original Message -----------------------    From: "Cameron Childress" <[EMAIL PROTECTED]> To: discussion@acfug.org Date: Wed, 19 Mar 2008 16:32:25 -0400 Subject: Re: [ACFUG Discuss] AJAX security (was: Using components on different websites)    Typically for this sort of scenario I use a Session Facade.  This is simply a CFC that explicitly accesses the Session Scope, but does nothing else.  I'll see if I can dig up a sample from some of my code... -Cameron On Wed, Mar 19, 2008 at 4:15 PM, Mischa Uppelschoten ext 10 <[EMAIL PROTECTED]> wrote: In reading up on the issue I'm having, I'm finding that some people advocate for components only to work on variables that get passed into them, and not rely on session or application vars. Suppose I have a control (cfgrid) that I want to use to display information only for the logged in user. It is bound to a function in a cfc. What is the best practice for securing this scenario? Thanks! Mischa. ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?falogin.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] ------------------------------------------------------------- Annual Sponsor - Figleaf Software To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------