to anyone who can help,
I have recently launched an rather complex application developed using the
XFB specification and have a serious problem with the security. The security
system is based upon the XFB outlined by Hal Helms, using the user_groups
database table to allow administrators to be set up. The entire system only
relies upon client variables and non-persistent cookies to maintain state
management - no session, application or server variables are used. The
cfapplication tag is placed at the top of each index.cfm file as below:
<cfif NOT IsDefined( 'application.applicationName' )>
<cfapplication name="appname" clientmanagement="Yes">
</cfif>
The index.cfm file follows the XFB specification - and cfinclude's the
app_globals.cfm file.
Inside the app_globals.cfm file is the following script to kill session
cookies if browser is closed:
<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfset cfid_local = Cookie.CFID>
<cfset cftoken_local = Cookie.CFTOKEN>
<cfcookie name="CFID" value="#cfid_local#">
<cfcookie name="CFTOKEN" value="#cftoken_local#">
</cfif>
And the client.urltoken is set to the request scope:
<cfscript>
// set urltoken
request.urltoken=client.urltoken;
</cfscript>
Then the request.urltoken variable is passed at every request to the server
- either on the end of the url string or in a form (I have looked into this
on the allaire website which suggests that this is not a very secure way of
state management).
The problem is that once I log into the application occassionally I inherit
someone elses client variables which is obviously very undesirable.
The login script is nothing unusual and basically validates information
posted from a form against information held in the database - and then sets
the necessary client variables for email, cliend id and last login. There is
also a login script which runs through Flash, but is it basically the same
as the other.
Thanks
Luke B.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
