[flexcoders] Remoting Security with CFCs

[dave buhler]

I thought we could define the best-practices for locking down an
application using Remoting with Coldfusion, and keep this as a rolling
thread and updated list. Here is what I have come up with so far.

  Use SetCredentials with CFLogin to define the Roles.
  Check SetCredentials and Roles on every  request,
  
  Use Hashing (encrypt and decrypt). Have users reset their password rather than use getPassword() method.
  
  (not sure about this one). With CF7, is it possible to set a
session ID in an application.cfc that persists through a session and
could be used as additional authentication?
  (not sure about this one) Use scriptProtect (CF7) to prevent
cross-site scripting. Since webservices can allow data to be retrieved
and sent outside of a domain, I'm not sure if scriptProtect is usable
for Remoting.
  Use HTTPS settings for Login and the exchange of other sensitive information.
  (not sure about this one) Include within a framework a security
module that calls a security delegate after a user has tried a username
3x ++, sending a request to lockout the attempted login's username
(preventing brute-force attacks). Or, include this counter as a session
variable within an application.cfc/security.cfc. 
  

Does anyone have experience with the gatekeeper:
http://carbonfive.sourceforge.net/flashgatekeeper/api/com/carbonfive/flashgateway/security/package-summary.html#documentation



Additional Ideas and feedback are always appreciated!!!!!
Dave








Yahoo! Groups Links

To visit your group on the web, go to:http://groups.yahoo.com/group/flexcoders/ 
To unsubscribe from this group, send an email to:[EMAIL PROTECTED] 
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.