Right - I'm doing all this, as is Josh (original poster). The question asked
wasn't asked, "How do client variables work".
Re-reading the orignal post:
Can anyone think of a scenario where a web user could fake some client
> > > variables other than CFID and CFTOKEN(and of course, how the rascals
> > would
> > > do so)
So, the question is more of a techincal nature, potentially outside the
realm of the ColdFusion server's documented features and the scope of CFML.
This is basically an open-call for hackers.
Nat Papovich
ICQ 32676414
"If it was hard to write,"
says the Real Programmer,
"it should be hard to understand."
-----Original Message-----
From: Reynolds, Adam [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 09, 2000 2:16 AM
To: Fusebox
Subject: RE: Faking client variables
Your problem is that you to identify a user uniquely they must store
something on their machine. If you have control of your server, then you can
ensure client variables are stored in a database(which is ideal as this
prepares you for clustering should your site become massive).
What it doesn't stop is spoofing. So you need to store some sort of unique
identifier with the user (after login) that when used in conjunction with
the CFID:CFTOKEN provides a valid login combination. Using CreateUUID gives
you that unique number string.
But...to answer your question, always store client variables in a central db
as you need to do this if you get into a clustering environment.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
