Interesting but what is the logic behind this?
Are you worried that someone will guess someone else's cftoken? They
can obviously guess cfid's close to their own but they still have to
guess cftoken what is a seven digit number (ie one in 10 million).
--- Dave DeVol <[EMAIL PROTECTED]> wrote:
>
> I use client sessions too and do hijack security by setting another
> cookie
> called cfunique. I then add this to the client session. Something
> like:
>
> <!---when they log in--->
> <cfif not isdefined("cookie.cfunique")>
> <cfcookie name="cfunique" value="#createUUID()#"
> domain=".yourDomain.com">
> </cfif>
>
> <!---app_globals--->
> <cfif isdefined("client.cfunique")>
> <cfparam default="0" name="cookie.cfunique">
> <cfif comparenocase("#cookie.cfunique#", "#client.cfunique#")>
> <cfinclude template = "act_bootEm.cfm">
> </cfif>
> </cfif>
>
> ----- Original Message -----
> From: "Luke Bartholomew" <[EMAIL PROTECTED]>
> To: "Fusebox" <[EMAIL PROTECTED]>
> Sent: Tuesday, July 31, 2001 10:36 AM
> Subject: client variable hijack
>
>
> > to anyone who can help,
> >
> > I have recently launched an rather complex application developed
> using the
> > XFB specification and have a serious problem with the security. The
> security
> > system is based upon the XFB outlined by Hal Helms, using the
> user_groups
> > database table to allow administrators to be set up. The entire
> system
> only
> > relies upon client variables and non-persistent cookies to maintain
> state
> > management - no session, application or server variables are used.
> The
> > cfapplication tag is placed at the top of each index.cfm file as
> below:
> >
> > <cfif NOT IsDefined( 'application.applicationName' )>
> > <cfapplication name="appname" clientmanagement="Yes">
> > </cfif>
> >
> > The index.cfm file follows the XFB specification - and cfinclude's
> the
> > app_globals.cfm file.
> >
> > Inside the app_globals.cfm file is the following script to kill
> session
> > cookies if browser is closed:
> >
> > <cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
> > <cfset cfid_local = Cookie.CFID>
> > <cfset cftoken_local = Cookie.CFTOKEN>
> > <cfcookie name="CFID" value="#cfid_local#">
> > <cfcookie name="CFTOKEN" value="#cftoken_local#">
> > </cfif>
> >
> > And the client.urltoken is set to the request scope:
> >
> > <cfscript>
> > // set urltoken
> > request.urltoken=client.urltoken;
> > </cfscript>
> >
> > Then the request.urltoken variable is passed at every request to
> the
> server
> > - either on the end of the url string or in a form (I have looked
> into
> this
> > on the allaire website which suggests that this is not a very
> secure way
> of
> > state management).
> >
> > The problem is that once I log into the application occassionally I
> inherit
> > someone elses client variables which is obviously very undesirable.
> >
> > The login script is nothing unusual and basically validates
> information
> > posted from a form against information held in the database - and
> then
> sets
> > the necessary client variables for email, cliend id and last login.
> There
> is
> > also a login script which runs through Flash, but is it basically
> the same
> > as the other.
> >
> > Thanks
> >
> > Luke B.
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
