Right off the top of my head I would say that your specific implementation would be susceptible to a replay attack. But I'll defer to Dean if he's listening while on vacation...
----- Original Message ---- From: Ajas Mohammed <[EMAIL PROTECTED]> To: [email protected] Sent: Tuesday, July 29, 2008 3:28:01 PM Subject: [ACFUG Discuss] cflocation with variables encrypted, is it safe approach? Hi, I am implementing single sign on and after I verify user credentials, I have to redirect user to secure area which has its own login verification through uname pwd textbox, the usual way. The idea with single sign on is to avoid that login verification page. So, while redirecting user to secure area, I am planning to pass 2 parameters in cflocation i.e. 1. to indicate its single sign on, so in Application.cfm for secure area folder, I can set client variables 2. the encrypted value of random key generated using GenerateSecretKey func. here is some code/logic <cfset redirectToSS = "whatever"> <!--- generate a key, the alogorithm, encoding variables are set before this ---> <cfset key = GenerateSecretKey(algorithm)> <cfset redirectToSS = Encrypt(redirectToSS,key,algorithm,encoding) <cfset encKey = Encrypt(key,"sometext")> <cflocation url="../secureArea/MyHome.cfm?redirectToSS=#redirectToSS#&vartest=#encKey#" > Now in secureArea/Application.cfm I will use redirectToSS and varTest. First decrypt varTest to get keyvalue and then use key value to see whats in redirectToSS. So, <cfif redirectToSS eq "whatever"> set client variables that are needed to access application. </cfif> Does this makes sense? Is this approach safe, security wise, considering no one knows what algorithm, encoding iam using to encrypt redirectToSS and also the fact that the key is sent over encrypted. I am I missing something important here? Any holes in this approach? Thanks, -- <Ajas Mohammed /> http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
