(sending again without HTML :-)
By "faking" them, do you mean using them, or viewing them?
Using Client (or Session) variables (ie, Session stealing)
If I come into a CF site with another user's CFID and CFToken, then I will be using
their client variables (or session variables, if I have those turned on). This does
not mean I can "see" them, or know their values. But I can "pretend" I am another
user, for as long as that session is active or authorized. Generally, the other user
must have recently logged on, and the hacker is just continuing the session. This is
a universal web problem, and is not limited to ColdFusion. The main way around this
is to use HTTPS (Secure HTTP), which prevents most "session ID" stealing, since even
cookies are transported behind the encrypted algorithm.
There are reams of information in this area, which I am not even prepared to speak
on....
Viewing and Changing Client Variables:
A hacker would have to upload and run their own CF code, see revealing error messages
(or cause them to happen), or run various other "inside" hacking tricks before he knew
or could change the value of any client variables. This is much harder to do, but
once done, can be much more damaging.
There are reams of information in this area, which I am not even prepared to speak
on....
Client Variables in a Database:
If you store them in your DB, then they are only as secure as your DB is. How secure
is your DB?
At 06:46 PM 10/6/00 -0400, Josh wrote:
>Does anyone know offhand how secure client variables are? I'm assuming that as long
>as CF is set to store them in the registry or a database, they are basically secure
>from faking.
>Can anyone think of a scenario where a web user could fake some client variables
>other than CFID and CFTOKEN(and of course, how the rascals would do so), to obtain
>access to something
>secured with client vars?
>
>Josh Diehl
>
>------------------------------------------------------------------------------
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
====================================================
Douglas M. Smith - Database Architect/Web Integration Specialist
====================================================
TeraTech Inc - Tools for Programmers(tm)
VisualBasic, Web (ColdFusion and ASP), Math and Statistics,
Access, SQL, programming tools & consulting
100 Park Ave, Suite 360, Rockville MD 20850 USA
Voice: 301-424-3903, Fax: 301-762-8185
http://www.teratech.com
====================================================
Email: [EMAIL PROTECTED]
Mobil/Cell Phone: (240) 601-5520
ICQ: 41044319
====================================================
Do you need a group calendar or scheduler?
How about a free ColdFusion Tag and Function Reference?
Go to http://www.teratech.com/freestuff.cfm
====================================================
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
====================================================
Douglas M. Smith - Database Architect/Web Integration Specialist
====================================================
TeraTech Inc - Tools for Programmers(tm)
VisualBasic, Web (ColdFusion and ASP), Math and Statistics,
Access, SQL, programming tools & consulting
100 Park Ave, Suite 360, Rockville MD 20850 USA
Voice: 301-424-3903, Fax: 301-762-8185
http://www.teratech.com
====================================================
Email: [EMAIL PROTECTED]
Mobil/Cell Phone: (240) 601-5520
ICQ: 41044319
====================================================
Do you need a group calendar or scheduler?
How about a free ColdFusion Tag and Function Reference?
Go to http://www.teratech.com/freestuff.cfm
====================================================
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
