Your problem is that you to identify a user uniquely they must store
something on their machine. If you have control of your server, then you can
ensure client variables are stored in a database(which is ideal as this
prepares you for clustering should your site become massive).
What it doesn't stop is spoofing. So you need to store some sort of unique
identifier with the user (after login) that when used in conjunction with
the CFID:CFTOKEN provides a valid login combination. Using CreateUUID gives
you that unique number string.
But...to answer your question, always store client variables in a central db
as you need to do this if you get into a clustering environment.
> ----------
> From: Nat Papovich[SMTP:[EMAIL PROTECTED]]
> Sent: 09 October 2000 10:07
> To: Fusebox
> Subject: RE: Faking client variables
>
> I'm not wondering about security models, and neither do I believe Josh to
> be. We're wondering about the ability to pass a client variable somehow
> back
> to the server, and have it get stored. Client or session, db, RAM, or
> registry, I'm curious...
>
> Nat Papovich
> ICQ 32676414
> "If it was hard to write,"
> says the Real Programmer,
> "it should be hard to understand."
>
>
> -----Original Message-----
> From: Reynolds, Adam [mailto:[EMAIL PROTECTED]]
> Sent: Monday, October 09, 2000 2:04 AM
> To: Fusebox
> Subject: RE: Faking client variables
>
>
> I think you need another 'level' of security. A good one is the use of
> CreatUUID and the combination of CFID and CFTOKEN stored in a DB table
> which
> is used to continually verify the user (or when they wish to perform
> specific actions).
>
> > ----------
> > From: Nat Papovich[SMTP:[EMAIL PROTECTED]]
> > Sent: 06 October 2000 23:54
> > To: Fusebox
> > Subject: RE: Faking client variables
> >
> > Yeah, but what about anyother possible way of faking client variables,
> > application-side? Like a way to set a client variable from the URL
> string
> > or
> > any web server holes that would allow something like that.
> >
> > Nat Papovich
> > ICQ 32676414
> > "If it was hard to write,"
> > says the Real Programmer,
> > "it should be hard to understand."
> >
> >
> > -----Original Message-----
> > From: McCollough, Alan [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, October 06, 2000 3:40 PM
> > To: Fusebox
> > Subject: RE: Faking client variables
> >
> >
> > Client variables will be as secure as your CFID:CFTOKEN is. That's where
> > your spoofing will occur.
> >
> > Alan McCollough
> > Web Programmer
> > Allaire Certified ColdFusion Developer
> > Alaska Native Medical Center
> >
> > > -----Original Message-----
> > > From: Josh [SMTP:[EMAIL PROTECTED]]
> > > Sent: Friday, October 06, 2000 2:46 PM
> > > To: Fusebox
> > > Subject: Faking client variables
> > >
> > > Does anyone know offhand how secure client variables are? I'm assuming
> > > that as long as CF is set to store them in the registry or a database,
> > > they are basically secure from faking.
> > > Can anyone think of a scenario where a web user could fake some client
> > > variables other than CFID and CFTOKEN(and of course, how the rascals
> > would
> > > do so), to obtain access to something
> > > secured with client vars?
> > >
> > > Josh Diehl
> > >
> > >
> >
> --------------------------------------------------------------------------
> > > ----
> > > To Unsubscribe visit
> > >
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox
> > or
> > > send a message to [EMAIL PROTECTED] with 'unsubscribe'
> > in
> > > the body.
> >
> --------------------------------------------------------------------------
> > --
> > --
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox
> or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe'
> in
> > the body.
> >
> --------------------------------------------------------------------------
> > ----
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox
> or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe'
> in
> > the body.
> >
> **********************************************************************
> This email and any attachments are confidential and solely
> for the use of the intended recipient. They may contain
> material protected by legal professional or other privilege.
> If you are not the intended recipient or the person responsible
> for delivering to the intended recipient, you are not authorised
> to and must not disclose, copy, distribute or retain this email
> or its attachments. Although this email and its attachments
> are believed to be free of any virus or other defect, it is the
> responsibility of the recipient to ensure that they are virus free
> and no responsibility is accepted by the company for any
> loss or damage arising from receipt or use thereof.
>
> **********************************************************************
> --------------------------------------------------------------------------
> --
> --
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> --------------------------------------------------------------------------
> ----
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
**********************************************************************
This email and any attachments are confidential and solely
for the use of the intended recipient. They may contain
material protected by legal professional or other privilege.
If you are not the intended recipient or the person responsible
for delivering to the intended recipient, you are not authorised
to and must not disclose, copy, distribute or retain this email
or its attachments. Although this email and its attachments
are believed to be free of any virus or other defect, it is the
responsibility of the recipient to ensure that they are virus free
and no responsibility is accepted by the company for any
loss or damage arising from receipt or use thereof.
**********************************************************************
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
