Yeah, but what about anyother possible way of faking client variables,
application-side? Like a way to set a client variable from the URL string or
any web server holes that would allow something like that.
Nat Papovich
ICQ 32676414
"If it was hard to write,"
says the Real Programmer,
"it should be hard to understand."
-----Original Message-----
From: McCollough, Alan [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 06, 2000 3:40 PM
To: Fusebox
Subject: RE: Faking client variables
Client variables will be as secure as your CFID:CFTOKEN is. That's where
your spoofing will occur.
Alan McCollough
Web Programmer
Allaire Certified ColdFusion Developer
Alaska Native Medical Center
> -----Original Message-----
> From: Josh [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, October 06, 2000 2:46 PM
> To: Fusebox
> Subject: Faking client variables
>
> Does anyone know offhand how secure client variables are? I'm assuming
> that as long as CF is set to store them in the registry or a database,
> they are basically secure from faking.
> Can anyone think of a scenario where a web user could fake some client
> variables other than CFID and CFTOKEN(and of course, how the rascals would
> do so), to obtain access to something
> secured with client vars?
>
> Josh Diehl
>
> --------------------------------------------------------------------------
> ----
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
