If I discover the URL, what prevents me from using this same URL again? On Tue, Jul 29, 2008 at 3:28 PM, Ajas Mohammed <[EMAIL PROTECTED]> wrote: > Hi, > > I am implementing single sign on and after I verify user credentials, I have > to redirect user to secure area which has its own login verification through > uname pwd textbox, the usual way. > > The idea with single sign on is to avoid that login verification page. So, > while redirecting user to secure area, I am planning to pass 2 parameters in > cflocation i.e. 1. to indicate its single sign on, so in Application.cfm for > secure area folder, I can set client variables 2. the encrypted value of > random key generated using GenerateSecretKey func. > > here is some code/logic > > <cfset redirectToSS = "whatever"> > > <!--- generate a key, the alogorithm, encoding variables are set before this > ---> > <cfset key = GenerateSecretKey(algorithm)> > > <cfset redirectToSS = Encrypt(redirectToSS,key,algorithm,encoding) > > <cfset encKey = Encrypt(key,"sometext")> > > <cflocation > url="../secureArea/MyHome.cfm?redirectToSS=#redirectToSS#&vartest=#encKey#" >> > > Now in secureArea/Application.cfm > > I will use redirectToSS and varTest. First decrypt varTest to get keyvalue > and then use key value to see whats in redirectToSS. > So, > <cfif redirectToSS eq "whatever"> > set client variables that are needed to access application. > </cfif> > > > Does this makes sense? Is this approach safe, security wise, considering no > one knows what algorithm, encoding iam using to encrypt redirectToSS and > also the fact that the key is sent over encrypted. > > I am I missing something important here? Any holes in this approach? > > Thanks, > > -- > <Ajas Mohammed /> > http://ajashadi.blogspot.com > We cannot become what we need to be, remaining what we are. > No matter what, find a way. Because thats what winners do. > You can't improve what you don't measure. > Quality is never an accident; it is always the result of high intention, > sincere effort, intelligent direction and skillful execution; it represents > the wise choice of many alternatives. > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > -------------------------------------------------------------
-- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
