It is a valid point that relying on Session/Client timeout for security is
to open a security hole. And it should be relatively easy for a hacker to
create a program (even in CF using CFHTTP) that would scan a web page with
sets of valid CFID and CFTOKEN pairs, then check the returned page to see if
it was the "please login page" or the desired "welcome in currently logged
on user" page, on a busy web site the chance of hitting some active session
is quite high
Especially if the attacker created one valid account to find out the current
values of CFID and CFTOKEN on the server... to try and capture new users as
they sign in.
Oops, I hope I'm not giving anyone any ideas here... Bottom line, don't rely
solely on the CF tokens for security.
I believe it was Nat or Hal who first came up on this list with the idea of
using a "logged in user" token passed either using cookies or on the URL, if
the token is generated randomly enough (there are some CFX's that can help
with this) and then only passed encrypted (once in a SSL session) it would
provide real security.
But then again, is your site offering anything important enough to deserve
that kind of protection? If it does what you should ask yourself is: Do I
feel lucky? ;-)
Cheers,
Noam
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
