As far as I can tell, the ONLY thing you should ever need to pass is the
cftoken. Take the hit on the webserver/SQL server. Think of it as a lockbox
with a key. You keep the box, yet give each client a unique key, the
cftoken.
All you need is a decent cftoken. Do the reg hack (that's for you Windows
folks) to add in the UuidToken = 1 key to
HKEY_LOCAL_MACHINE\Allaire\ColdFusing\CurrentVersion\Clients. Then if you
are using db-driven client vars, manually change the size of the CFID fields
in the client variable database to 50, and yer set. Now your clients get a
UUID for their CFTOKEN.
You've got a good key for each client, so why would you need to pass
anything back to 'em? Performance? Feh. Go for security. Remember the
correction officer's mantra, "Security is not Convenient".
> -----Original Message-----
> From: Nat Papovich [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, May 07, 2001 6:52 AM
> To: Fusebox
> Subject: RE: Managing program flow
>
> Right, but I would argue that it is safe to store only the productID, not
> the price, and calculate the price each time the display of it is needed
> by
> hitting the DB. Passing checkout information in hidden form fields CAN be
> secure, as long as you pass insecure data, not things like CC info, price,
> tax info, etc.
>
> NAT
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, May 07, 2001 4:46 AM
> > To: Fusebox
> > Subject: RE: Managing program flow
> >
> >
> > That wasn't my point. My point was the concept rather than the
> > impementation
> > attribute.
> > Check out www.bratcatalog.com
> > they do use hidden fields to store data and not at all secure.
> > Amit Talwar
> > Intellikaps
> >
> > -----Original Message-----
> > From: Nat Papovich [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, May 07, 2001 9:52 AM
> > To: Fusebox
> > Subject: RE: Managing program flow
> >
> >
> > Erik is smart enough to either not store price info in a form field or
> to
> > check that price matches price for productID on order submission.
> >
> > > -----Original Message-----
> > > From: BORKMAN Lee [mailto:[EMAIL PROTECTED]]
> > > Sent: Sunday, May 06, 2001 6:11 PM
> > > To: Fusebox
> > > Subject: RE: Managing program flow
> > >
> > >
> > > Yes, but you can possibly live with hidden fields as long as you
> always
> > > check for a trusted referer.
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > >
> > >
> > > Hi,
> > > Well Erik It is Absoloutely going cause security hazards if you
> > are using
> > > hidden varables in your page.
> > >
> > > Conside this, for example you store price of a product as a hidden
> > > variable. Now if the users saves the page to his system and reduces
> the
> > > price and then submits the page you will never know that the price is
> > > correct or incorrect as there will be no cross check with the
> > price in the
> > > database.
> > >
> > >
> > > IMPORTANT NOTICE:
> > > This e-mail and any attachment to it is intended only to be read
> > > or used by
> > > the named addressee. It is confidential and may contain legally
> > > privileged
> > > information. No confidentiality or privilege is waived or lost by any
> > > mistaken transmission to you. If you receive this e-mail in
> > error, please
> > > immediately delete it from your system and notify the sender.
> > > You must not
> > > disclose, copy or use any part of this e-mail if you are not
> > the intended
> > > recipient. The RTA is not responsible for any unauthorised
> > alterations to
> > > this e-mail or attachment to it.
> > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
