I'm not wondering about security models, and neither do I believe Josh to
be. We're wondering about the ability to pass a client variable somehow back
to the server, and have it get stored. Client or session, db, RAM, or
registry, I'm curious...
Nat Papovich
ICQ 32676414
"If it was hard to write,"
says the Real Programmer,
"it should be hard to understand."
-----Original Message-----
From: Reynolds, Adam [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 09, 2000 2:04 AM
To: Fusebox
Subject: RE: Faking client variables
I think you need another 'level' of security. A good one is the use of
CreatUUID and the combination of CFID and CFTOKEN stored in a DB table which
is used to continually verify the user (or when they wish to perform
specific actions).
> ----------
> From: Nat Papovich[SMTP:[EMAIL PROTECTED]]
> Sent: 06 October 2000 23:54
> To: Fusebox
> Subject: RE: Faking client variables
>
> Yeah, but what about anyother possible way of faking client variables,
> application-side? Like a way to set a client variable from the URL string
> or
> any web server holes that would allow something like that.
>
> Nat Papovich
> ICQ 32676414
> "If it was hard to write,"
> says the Real Programmer,
> "it should be hard to understand."
>
>
> -----Original Message-----
> From: McCollough, Alan [mailto:[EMAIL PROTECTED]]
> Sent: Friday, October 06, 2000 3:40 PM
> To: Fusebox
> Subject: RE: Faking client variables
>
>
> Client variables will be as secure as your CFID:CFTOKEN is. That's where
> your spoofing will occur.
>
> Alan McCollough
> Web Programmer
> Allaire Certified ColdFusion Developer
> Alaska Native Medical Center
>
> > -----Original Message-----
> > From: Josh [SMTP:[EMAIL PROTECTED]]
> > Sent: Friday, October 06, 2000 2:46 PM
> > To: Fusebox
> > Subject: Faking client variables
> >
> > Does anyone know offhand how secure client variables are? I'm assuming
> > that as long as CF is set to store them in the registry or a database,
> > they are basically secure from faking.
> > Can anyone think of a scenario where a web user could fake some client
> > variables other than CFID and CFTOKEN(and of course, how the rascals
> would
> > do so), to obtain access to something
> > secured with client vars?
> >
> > Josh Diehl
> >
> >
> --------------------------------------------------------------------------
> > ----
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox
> or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe'
> in
> > the body.
> --------------------------------------------------------------------------
> --
> --
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> --------------------------------------------------------------------------
> ----
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
**********************************************************************
This email and any attachments are confidential and solely
for the use of the intended recipient. They may contain
material protected by legal professional or other privilege.
If you are not the intended recipient or the person responsible
for delivering to the intended recipient, you are not authorised
to and must not disclose, copy, distribute or retain this email
or its attachments. Although this email and its attachments
are believed to be free of any virus or other defect, it is the
responsibility of the recipient to ensure that they are virus free
and no responsibility is accepted by the company for any
loss or damage arising from receipt or use thereof.
**********************************************************************
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
