Because both of those could be modified by the user.
> -----Original Message-----
> From: Kola Oyedeji [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 9:14 AM
> To: Fusebox
> Subject: RE: RE: Managing program flow
>
>
> Any particular reason why not the cookie or attributes scope?
>
> KOla
>
> -----Original Message-----
> From: Patrick McElhaney [mailto:[EMAIL PROTECTED]]
> Sent: 03 May 2001 13:54
> To: Fusebox
> Subject: RE: RE: Managing program flow
>
>
> I think Hans is right. If you're really concerned about security, you
> certainly can't rely on HTTP_Referer. That can be artificially modified.
>
> I would use a step variable and put it in a scope that can't be modified
> by the client. I would think that putting the step variable in the
> client scope is okay, but not in a cookie or the attributes scope.
>
> Patrick
>
> > -----Original Message-----
> > From: Hans Omli [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, May 02, 2001 8:12 PM
> > To: Fusebox
> > Subject: RE: RE: Managing program flow
> >
> >
> > I store all submitted form variables in a client variable (using wddx).
> > Then on each template I check that the client variable includes all form
> > variables that should have been entered thus far, and send the
> > user back if
> > not.
> >
> > A step variable would obviously be a more simple solution. So, now I'm
> > considering whether I'd have any security concerns with step variables.
> > Thoughts?
> >
> > Hans
> >
> > -----Original Message-----
> > From: Jim Stahlin [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, May 02, 2001 4:13 PM
> > To: Fusebox
> > Subject: Re: RE: Managing program flow
> >
> >
> > I agree that you have this problem in non-CF sites. But the
> > program flow is
> > much more apparent in a Fusebox site than in other sites. I restricted
> > access using session variables and am in the process of
> > converting the site
> > to fusebox. Other than using a step variable does anyone know
> of another
> > way to do this?
> >
> > >>> [EMAIL PROTECTED] 05/02/01 18:06 PM >>>
> > Couldn't they do that in a non-CF site too?
> >
> > What you're talking about sounds to me like a regular
> programming process
> > problem. You could set a client variable on each page with the
> > step number,
> > and send bad users to the right page.
> >
> > NAT
> >
> > > -----Original Message-----
> > > From: Jim Stahlin [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, May 02, 2001 1:50 PM
> > > To: Fusebox
> > > Subject: Managing program flow
> > >
> > >
> > > I have a problem in getting my mind around how you can restrict
> > > the flow of actions in fusebox. I have a site that in the
> > > checkout process requires the user to pick shipping method, then
> > > Credit Card info, then Shipping info, then approve the order. If
> > > I use Fuseactions to do this the user could pass the last
> > > fuseaction in the URL variable and skip all the entry screens.
> > >
> > > Archives: http://www.mail-archive.com/[email protected]/
> > > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=sts
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
