I guess the methods with access="remote"
which are session unaware then call the facade
CFC which has an access="public" to obtain
permission to return the data? The session
unaware method would still have to be supplied
with some sort of id that makes the requesting
user identifieable (client.secretid?). That
sounds like quite a bit of work just to avoid
reading a session var...?
"If you create a public facing CFC
that exposes methods that allow session data
to be directly manipulated, well, you've
now allowed public access to session data.
Of course, callers will only have access
to their own session data, but still, proceed
with caution, and make sure you fully understand
what you are doing."
In my example, I'm not even modifying
my session vars in my cfc, but even if I
was, what is the worst that could happen?
(I know that's a loaded question ;-)
/m
: Typically for this sort of scenario
I use a Session Facade. This is simply
a
: CFC that explicitly accesses the Session Scope, but does nothing else. : Ill see if I can dig up a sample from some of my code... : : -Cameron : On Wed, Mar 19, 2008 at 4:15 PM, Mischa Uppelschoten ext 10 : <[EMAIL PROTECTED]> wrote: : In reading up on the issue Im having, Im finding that some people advocate : for components only to work on variables that get passed into them, and not : rely on session or application vars. : : Suppose I have a control (cfgrid) that I want to use to display information : only for the logged in user. It is bound to a function in a cfc. What is the : best practice for securing this scenario? : Thanks! : Mischa. : : : : ------------------------------------------------------------- : Annual Sponsor FigLeaf Software - http://www.figleaf.com : : To unsubscribe from this list, manage your profile @ : http://www.acfug.org?falogin.edituserform : : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by http://www.fusionlink.com : ------------------------------------------------------------- : : : : : -- : Cameron Childress : Sumo Consulting Inc : http://www.sumoc.com : --- : cell: 678.637.5072 : aim: cameroncf : email: [EMAIL PROTECTED] : ------------------------------------------------------------- : Annual Sponsor - Figleaf Software : : To unsubscribe from this list, manage your profile @ : http://www.acfug.org?fa=login.edituserform : : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink : ------------------------------------------------------------- Mischa Uppelschoten The Banker's Exchange, LLC. 4200 Highlands Parkway SE Suite A Smyrna, GA 30082-5198 Phone: (404) 605-0100 ext. 10 Fax: (404) 355-7930 Web: www.BankersX.com Follow this link for Instant Web Chat: http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN ----------------------- Original
Message -----------------------
From: "Cameron Childress"
<[EMAIL PROTECTED]>
Date: Wed, 19 Mar 2008 16:32:25
-0400
Subject: Re: [ACFUG Discuss]
AJAX security (was: Using components on different
websites)
I'll see if I can dig up a sample from some of my code... -Cameron On Wed, Mar 19, 2008
at 4:15 PM, Mischa Uppelschoten ext 10 <[EMAIL PROTECTED]>
wrote: In reading up on the issue I'm having, I'm finding that some people advocate for components only to work on variables that get passed into them, and not rely on session or application vars. -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] ------------------------------------------------------------- Annual Sponsor - Figleaf Software To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- |
- [ACFUG Discuss] Using components on different w... Mischa Uppelschoten ext 10
- Re: [ACFUG Discuss] Using components on di... Cameron Childress
- re[2]: [ACFUG Discuss] Using component... Mischa Uppelschoten ext 10
- re[3]: [ACFUG Discuss] Using compo... Mischa Uppelschoten ext 10
- re[4]: [ACFUG Discuss] Using c... Mischa Uppelschoten ext 10
- RE: re[4]: [ACFUG Discuss... Justin Haygood
- [ACFUG Discuss] AJAX secu... Mischa Uppelschoten ext 10
- Re: [ACFUG Discuss] A... Cameron Childress
- re[2]: [ACFUG Dis... Mischa Uppelschoten ext 10
- Re: [ACFUG Discuss] Using components on di... cody
- re[2]: [ACFUG Discuss] Using component... Mischa Uppelschoten ext 10