Hell, it goes to the user as part of the 302 redirect! So the URL is
easily identified.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Jul 29, 2008, at 4:53 PM, [EMAIL PROTECTED] wrote:
Packet sniffers. Server logs. Pick your poison.
Sent via BlackBerry by AT&T
From: "Ajas Mohammed" <[EMAIL PROTECTED]>
Date: Tue, 29 Jul 2008 16:45:51 -0400
To: <[email protected]>
Subject: Re: [ACFUG Discuss] cflocation with variables encrypted, is
it safe approach?
Thanks for suggestion Cameron.
Before we get into that, Let me take one step backwards.
How will someone get my url. Here is the process explained in detial.
there are 2 parties. one identity provider(Idp) and other service
provider(SP) i.e. me.
identity provider has there own server to authenticate users which
we are not concerned with. After this, IDP user clicks on a link (I
am not concerned with this link)and it brings the user to my
verification module and thats where I plan to use the logic with
encryption, that I had emailed in the first post.
So, how can someone get my url, if I plan to remove the url vars I
had generated earlier, and url is shown to user as Myhome.cfm
instead of it being appended with variables?
Any ideas?
Ajas.
On Tue, Jul 29, 2008 at 4:17 PM, Cameron Childress
<[EMAIL PROTECTED]> wrote:
On Tue, Jul 29, 2008 at 4:11 PM, Ajas Mohammed <[EMAIL PROTECTED]>
wrote:
> Shawn/Cameron, yeap thats a big hole and I plan to use timestamp
to avoid
> it, but I dont know right now exactly how that will be done.
Using any predictable or easy to guess information (like a timestamp)
is not a good security measure in most cases.
> So any suggestions for stopping replay attack.
One time use token
-Cameron
--
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
<Ajas Mohammed />
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
