I use client sessions too and do hijack security by setting another cookie
called cfunique. I then add this to the client session. Something like:
<!---when they log in--->
<cfif not isdefined("cookie.cfunique")>
<cfcookie name="cfunique" value="#createUUID()#"
domain=".yourDomain.com">
</cfif>
<!---app_globals--->
<cfif isdefined("client.cfunique")>
<cfparam default="0" name="cookie.cfunique">
<cfif comparenocase("#cookie.cfunique#", "#client.cfunique#")>
<cfinclude template = "act_bootEm.cfm">
</cfif>
</cfif>
----- Original Message -----
From: "Luke Bartholomew" <[EMAIL PROTECTED]>
To: "Fusebox" <[EMAIL PROTECTED]>
Sent: Tuesday, July 31, 2001 10:36 AM
Subject: client variable hijack
> to anyone who can help,
>
> I have recently launched an rather complex application developed using the
> XFB specification and have a serious problem with the security. The
security
> system is based upon the XFB outlined by Hal Helms, using the user_groups
> database table to allow administrators to be set up. The entire system
only
> relies upon client variables and non-persistent cookies to maintain state
> management - no session, application or server variables are used. The
> cfapplication tag is placed at the top of each index.cfm file as below:
>
> <cfif NOT IsDefined( 'application.applicationName' )>
> <cfapplication name="appname" clientmanagement="Yes">
> </cfif>
>
> The index.cfm file follows the XFB specification - and cfinclude's the
> app_globals.cfm file.
>
> Inside the app_globals.cfm file is the following script to kill session
> cookies if browser is closed:
>
> <cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
> <cfset cfid_local = Cookie.CFID>
> <cfset cftoken_local = Cookie.CFTOKEN>
> <cfcookie name="CFID" value="#cfid_local#">
> <cfcookie name="CFTOKEN" value="#cftoken_local#">
> </cfif>
>
> And the client.urltoken is set to the request scope:
>
> <cfscript>
> // set urltoken
> request.urltoken=client.urltoken;
> </cfscript>
>
> Then the request.urltoken variable is passed at every request to the
server
> - either on the end of the url string or in a form (I have looked into
this
> on the allaire website which suggests that this is not a very secure way
of
> state management).
>
> The problem is that once I log into the application occassionally I
inherit
> someone elses client variables which is obviously very undesirable.
>
> The login script is nothing unusual and basically validates information
> posted from a form against information held in the database - and then
sets
> the necessary client variables for email, cliend id and last login. There
is
> also a login script which runs through Flash, but is it basically the same
> as the other.
>
> Thanks
>
> Luke B.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
