Re: Faking client variables

Mon, 09 Oct 2000 07:38:53 -0700 

Right, it's not user-authentication I'm concerned about so much as client variable 
manipulation. I'm guessing that except for non-CF security holes, they're pretty 
secure.  Although I
will say that the potential for mischief extends also to the ability to change 
registry entries, for those CFers not able to use a database for their client 
variables.

Josh Diehl

Nat Papovich wrote:

> Right - I'm doing all this, as is Josh (original poster). The question asked
> wasn't asked, "How do client variables work".
> Re-reading the orignal post:
>
> Can anyone think of a scenario where a web user could fake some client
> > > > variables other than CFID and CFTOKEN(and of course, how the rascals
> > > would
> > > > do so)
>
> So, the question is more of a techincal nature, potentially outside the
> realm of the ColdFusion server's documented features and the scope of CFML.
> This is basically an open-call for hackers.
>
> Nat Papovich
> ICQ 32676414
> "If it was hard to write,"
> says the Real Programmer,
> "it should be hard to understand."
>
> -----Original Message-----
> From: Reynolds, Adam [mailto:[EMAIL PROTECTED]]
> Sent: Monday, October 09, 2000 2:16 AM
> To: Fusebox
> Subject: RE: Faking client variables
>
> Your problem is that you to identify a user uniquely they must store
> something on their machine. If you have control of your server, then you can
> ensure client variables are stored in a database(which is ideal as this
> prepares you for clustering should your site become massive).
>
> What it doesn't stop is spoofing. So you need to store some sort of unique
> identifier with the user (after login) that when used in conjunction with
> the CFID:CFTOKEN provides a valid login combination. Using CreateUUID gives
> you that unique number string.
>
> But...to answer your question, always store client variables in a central db
> as you need to do this if you get into a clustering environment.
> ------------------------------------------------------------------------------
> To Unsubscribe visit 
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a 
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

------------------------------------------------------------------------------
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to