Well if your going to store it in a database might better to create a guid
instead of a uuid. (just insert a - at position 23)
That will keep you compliant with SQL Server (and if your using Access the
"ReplicationID". I still think its funny they couldn't agree
on one friggin "-". Also you can have Sql Server do the work for you in
getting the GUID with the NewID() function.
Fred
----- Original Message -----
From: "Reynolds, Adam" <[EMAIL PROTECTED]>
To: "Fusebox" <[EMAIL PROTECTED]>
Sent: Monday, October 09, 2000 5:03 AM
Subject: RE: Faking client variables
> I think you need another 'level' of security. A good one is the use of
> CreatUUID and the combination of CFID and CFTOKEN stored in a DB table
which
> is used to continually verify the user (or when they wish to perform
> specific actions).
>
> > ----------
> > From: Nat Papovich[SMTP:[EMAIL PROTECTED]]
> > Sent: 06 October 2000 23:54
> > To: Fusebox
> > Subject: RE: Faking client variables
> >
> > Yeah, but what about anyother possible way of faking client variables,
> > application-side? Like a way to set a client variable from the URL
string
> > or
> > any web server holes that would allow something like that.
> >
> > Nat Papovich
> > ICQ 32676414
> > "If it was hard to write,"
> > says the Real Programmer,
> > "it should be hard to understand."
> >
> >
> > -----Original Message-----
> > From: McCollough, Alan [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, October 06, 2000 3:40 PM
> > To: Fusebox
> > Subject: RE: Faking client variables
> >
> >
> > Client variables will be as secure as your CFID:CFTOKEN is. That's where
> > your spoofing will occur.
> >
> > Alan McCollough
> > Web Programmer
> > Allaire Certified ColdFusion Developer
> > Alaska Native Medical Center
> >
> > > -----Original Message-----
> > > From: Josh [SMTP:[EMAIL PROTECTED]]
> > > Sent: Friday, October 06, 2000 2:46 PM
> > > To: Fusebox
> > > Subject: Faking client variables
> > >
> > > Does anyone know offhand how secure client variables are? I'm assuming
> > > that as long as CF is set to store them in the registry or a database,
> > > they are basically secure from faking.
> > > Can anyone think of a scenario where a web user could fake some client
> > > variables other than CFID and CFTOKEN(and of course, how the rascals
> > would
> > > do so), to obtain access to something
> > > secured with client vars?
> > >
> > > Josh Diehl
> > >
> > >
>
> --------------------------------------------------------------------------
> > > ----
> > > To Unsubscribe visit
> > >
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox
> > or
> > > send a message to [EMAIL PROTECTED] with 'unsubscribe'
> > in
> > > the body.
>
> --------------------------------------------------------------------------
> > --
> > --
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox
or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
> > the body.
>
> --------------------------------------------------------------------------
> > ----
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox
or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
> > the body.
> >
> **********************************************************************
> This email and any attachments are confidential and solely
> for the use of the intended recipient. They may contain
> material protected by legal professional or other privilege.
> If you are not the intended recipient or the person responsible
> for delivering to the intended recipient, you are not authorised
> to and must not disclose, copy, distribute or retain this email
> or its attachments. Although this email and its attachments
> are believed to be free of any virus or other defect, it is the
> responsibility of the recipient to ensure that they are virus free
> and no responsibility is accepted by the company for any
> loss or damage arising from receipt or use thereof.
>
> **********************************************************************
> --------------------------------------------------------------------------
----
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
