<html>
<br>
By "faking" them, do you mean using them, or viewing
them?<br>
<br>
<b>Using Client (or Session) variables (ie, Session stealing)<br>
<br>
</b>If I come into a CF site with another user's CFID and CFToken, then I
will be using their client variables (or session variables, if I have
those turned on). This does not mean I can "see" them, or
know their values. But I can "pretend" I am another user,
for as long as that session is active or authorized. Generally, the
other user must have recently logged on, and the hacker is just
continuing the session. This is a universal web problem, and is not
limited to ColdFusion. The main way around this is to use HTTPS
(Secure HTTP), which prevents most "session ID" stealing, since
even cookies are transported behind the encrypted algorithm. <br>
<br>
There are reams of information in this area, which I am not even prepared
to speak on....<br>
<br>
<b>Viewing and Changing Client Variables:<br>
<br>
</b>A hacker would have to upload and run their own CF code, see
revealing error messages (or cause them to happen), or run various other
"inside" hacking tricks before he knew or could change the
value of any client variables. This is much harder to do, but once
done, can be much more damaging.<br>
<br>
There are reams of information in this area, which I am not even prepared
to speak on....<br>
<br>
<b>Client Variables in a Database:<br>
<br>
</b>If you store them in your DB, then they are only as secure as your DB
is. How secure is your DB?<br>
<br>
At 06:46 PM 10/6/00 -0400, Josh wrote:<br>
<blockquote type=cite cite>Does anyone know offhand how secure client
variables are? I'm assuming that as long as CF is set to store them in
the registry or a database, they are basically secure from faking.<br>
Can anyone think of a scenario where a web user could fake some client
variables other than CFID and CFTOKEN(and of course, how the rascals
would do so), to obtain access to something<br>
secured with client vars?<br>
<br>
Josh Diehl<br>
<br>
------------------------------------------------------------------------------<br>
To Unsubscribe visit
<a href="http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox"
eudora="autourl">http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox</a>
or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
</blockquote><br>
<br>
<font color="#008080">====================================================<br>
<b>Douglas M. Smith - Database Architect/Web Integration Specialist<br>
</b>====================================================<br>
</font><font face="Comic Sans MS" size=4 color="#FF0000">TeraTech Inc - Tools for
Programmers(tm)<br>
</font><font face="Comic Sans MS"><b>VisualBasic, Web (ColdFusion and ASP), Math and
Statistics, <br>
Access, SQL, programming tools & consulting<br>
</font><font color="#008080"><i>100 Park Ave, Suite 360, Rockville MD 20850 USA <br>
</i></b>Voice: 301-424-3903, Fax: 301-762-8185 <br>
<a href="http://www.teratech.com/" eudora="autourl">http://www.teratech.com</a><br>
====================================================<br>
Email: <b>[EMAIL PROTECTED]<br>
</b>Mobil/Cell Phone: (240) 601-5520<br>
ICQ: 41044319<br>
====================================================<br>
Do you need a group calendar or scheduler?<br>
How about a <b>free</b> ColdFusion Tag and Function Reference?<br>
Go to <a href="http://www.teratech.com/freestuff.cfm"
eudora="autourl">http://www.teratech.com/</a><a
href="http://www.teratech.com/freestuff.cfm" eudora="autourl"><b>freestuff.cfm</a><br>
</b>====================================================<br>
</font></html>
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
