Re: Client variables? reliable enough?
On 2/16/07, Jochem van Dieten <[EMAIL PROTECTED]> wrote: > should use the industry standard, peer reviewed, time tested design of > HTTP Digest Authentication. See RFC 2617 for details. Hey! Apache still marks that as "experimental"! =] ~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270032 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
Mike Kear said: > > Anyway, he says there's a security issue with using a token > throughout for a session, so each page view has to issue a new > token, and expire the last one. What he wants is called "replay protection". It is considered a solved problem. Instead of using the half-baked design of your client, you should use the industry standard, peer reviewed, time tested design of HTTP Digest Authentication. See RFC 2617 for details. And the good news: it is build in to most browsers and webservers and you can build a custom client variables solution on top of it. Jochem ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269985 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Client variables? reliable enough?
| From: Matt Robertson [mailto:[EMAIL PROTECTED] | By exposing the cfid and cftoken you are announcing to the world what | your session identifier is. In turn you are giving someone the | opportunity to more easily manipulate it. Sure someone can accept a | cookie, read the value off the hard drive and then have the same info | (I suppose you could make the read more difficult by not writing a | cookie to disk and only using a session cookie) but by passing it via | the url you are making the job as easy as possible for the attacker. Another possible security issue is if people e-mail a link from the URL bar to each other, that link will contain the cfid/cftoken then... It doesn't look very clean, and if someone clicks the link before the session has expired, then they are continuing someone elses session. I have a feeling that the client is meaning something else - like no username/password in the cookie or something. Having multiple users sharing the same IP has nothing to do with cookies btw. /Hugo ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269983 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
On 2/15/07, John Blayter <[EMAIL PROTECTED]> wrote: > My $0.02 is that you are going to > end up with something that is damn close to client variables. Seems that way. I consider it obsolete but maybe ont in this case: the first custom tag I wrote is SessionMonger. Done back in the bad old days when I was running CF 3.x on Interland (those bastages!) servers... that rebooted themselves about every three minutes, so CF sessions were worth dookie and I had to have something that survived even a cold reboot. It has expirrations and takes a halfway decent shot at making itself unique. Works without cookies. Don't laugh too hard. This was a long time ago when I first wrote it up: http://cfdj.sys-con.com/read/42032.htm And the tag at Adobe: http://tinyurl.com/2juvou The ancient page for the tag: http://mysecretbase.com/SessionMonger_Home.cfm I'd read that last one first. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269978 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
Even if you pass around the session.urlToken around in the URL if you must use cookies if you want to use session replication. If you can't use cookies, client variables and you must have session replication you are left with rolling your own state management. My $0.02 is that you are going to end up with something that is damn close to client variables. On 2/15/07, Mike Kear <[EMAIL PROTECTED]> wrote: > > His issue about the new token each time is mainly prompted by the > issue of corporate users sharing the same IP.This is an app where > there may be many users in a building accessing the site, and each > will have his/her own permissions set. So he doesnt want one person > having higher access than they deserve by accident. They could grant > their management unit product they havent been approved for. > > So it kind of makes sense. > > This is a product where the unit values are very high and a large > organisation will buy lots of licenses, and one senior person in the > organisation will allow the various operational units to have > specified numbers of licenses and they'll be logging in to manage the > licenses they have a right to. > > So he's not being silly about it, I can see where his mind is on it. > Not quite sure how it's all going to work, that's the problem. > > > Cheers > Mike Kear > Windsor, NSW, Australia > Adobe Certified Advanced ColdFusion Developer > AFP Webworks > http://afpwebworks.com > ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month > > > On 2/16/07, Dinner <[EMAIL PROTECTED]> wrote: > > On 2/15/07, Matt Robertson <[EMAIL PROTECTED]> wrote: > > > On 2/15/07, Dinner <[EMAIL PROTECTED]> wrote: > > > > Lot of work for not much difference. Might as well set the session > > > > timeout really really low or something, right? > > > > > > If I were trying to find sanity in the desired approach, I'd first > > > have to accept the fact that you *cannot* have cookies. In an > > > environment where site customers are all corporate, and an entire > > > building's worth of buyers could all be sharing the same cookie thanks > > > to some fascist security scheme, the use of cookies can be > > > catastrophic. Been there. So I understand the requirement although I > > > pity to poor guy who has to comply with it. > > > > So we've got to keep it going from request to request, via form or url > > params-- doable, but needs strict "form" to accomplish well (and length > > may be an issue-- thus, the custom token). > > > > Or a smart "render-er", I guess. Pipe normal code thru, out comes > > tokened code? Hrm... pretty damn hard to make [well =]. > > > > > Given that, a short session timeout would not solve the problem. If I > > > was stuck passing url tokens of some kind, a continuously morphing one > > > sounds like a step up from a static one; at least on the surface. > > > > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269976 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
His issue about the new token each time is mainly prompted by the issue of corporate users sharing the same IP.This is an app where there may be many users in a building accessing the site, and each will have his/her own permissions set. So he doesnt want one person having higher access than they deserve by accident. They could grant their management unit product they havent been approved for. So it kind of makes sense. This is a product where the unit values are very high and a large organisation will buy lots of licenses, and one senior person in the organisation will allow the various operational units to have specified numbers of licenses and they'll be logging in to manage the licenses they have a right to. So he's not being silly about it, I can see where his mind is on it. Not quite sure how it's all going to work, that's the problem. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 2/16/07, Dinner <[EMAIL PROTECTED]> wrote: > On 2/15/07, Matt Robertson <[EMAIL PROTECTED]> wrote: > > On 2/15/07, Dinner <[EMAIL PROTECTED]> wrote: > > > Lot of work for not much difference. Might as well set the session > > > timeout really really low or something, right? > > > > If I were trying to find sanity in the desired approach, I'd first > > have to accept the fact that you *cannot* have cookies. In an > > environment where site customers are all corporate, and an entire > > building's worth of buyers could all be sharing the same cookie thanks > > to some fascist security scheme, the use of cookies can be > > catastrophic. Been there. So I understand the requirement although I > > pity to poor guy who has to comply with it. > > So we've got to keep it going from request to request, via form or url > params-- doable, but needs strict "form" to accomplish well (and length > may be an issue-- thus, the custom token). > > Or a smart "render-er", I guess. Pipe normal code thru, out comes > tokened code? Hrm... pretty damn hard to make [well =]. > > > Given that, a short session timeout would not solve the problem. If I > > was stuck passing url tokens of some kind, a continuously morphing one > > sounds like a step up from a static one; at least on the surface. > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269974 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
On 2/15/07, Matt Robertson <[EMAIL PROTECTED]> wrote: > On 2/15/07, Dinner <[EMAIL PROTECTED]> wrote: > > Lot of work for not much difference. Might as well set the session > > timeout really really low or something, right? > > If I were trying to find sanity in the desired approach, I'd first > have to accept the fact that you *cannot* have cookies. In an > environment where site customers are all corporate, and an entire > building's worth of buyers could all be sharing the same cookie thanks > to some fascist security scheme, the use of cookies can be > catastrophic. Been there. So I understand the requirement although I > pity to poor guy who has to comply with it. So we've got to keep it going from request to request, via form or url params-- doable, but needs strict "form" to accomplish well (and length may be an issue-- thus, the custom token). Or a smart "render-er", I guess. Pipe normal code thru, out comes tokened code? Hrm... pretty damn hard to make [well =]. > Given that, a short session timeout would not solve the problem. If I > was stuck passing url tokens of some kind, a continuously morphing one > sounds like a step up from a static one; at least on the surface. Well, it would achieve the same thing as having a really low session time out-- perhaps not even that much, because the session would time out after a set time, vs. the "manual" session, that presumably just hangs out until the next token comes in (course, you could go that extra mile, and add timeouts, etc.. Might as well do it right, right! ;). The reason you keep it morphing is to prevent someone from stealing it from someplace where it's exposed (hopefully not google) and using it to "impersonate" the "real" session. A low session timeout would accomplish the same thing, sorta. > 'course, I haven't seen "the problem" since a health care industry job > I did like six years ago, so for all I know firewalls are a hell of a > lot smarter now and this client is living in the past and solving a > problem that doesn't exist anymore. Heh. That's a good point. Worthy of talking over w/ d client, fer sure. > Glad its not my job and all I have to do is idly speculate without > really thinking it thru :-) You know what they say about idle hands... ;-) ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269973 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
On 2/15/07, Dinner <[EMAIL PROTECTED]> wrote: > Lot of work for not much difference. Might as well set the session > timeout really really low or something, right? If I were trying to find sanity in the desired approach, I'd first have to accept the fact that you *cannot* have cookies. In an environment where site customers are all corporate, and an entire building's worth of buyers could all be sharing the same cookie thanks to some fascist security scheme, the use of cookies can be catastrophic. Been there. So I understand the requirement although I pity to poor guy who has to comply with it. Given that, a short session timeout would not solve the problem. If I was stuck passing url tokens of some kind, a continuously morphing one sounds like a step up from a static one; at least on the surface. 'course, I haven't seen "the problem" since a health care industry job I did like six years ago, so for all I know firewalls are a hell of a lot smarter now and this client is living in the past and solving a problem that doesn't exist anymore. Glad its not my job and all I have to do is idly speculate without really thinking it thru :-) -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269972 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
On 2/15/07, Matt Robertson <[EMAIL PROTECTED]> wrote: > On 2/15/07, Dinner <[EMAIL PROTECTED]> wrote: > > In theory, it's exactly the same thing as using tokens. So you > > change it with every request-- you've still got to get the old token > > in! Lots of added complexity for the same end result. > > Not the same thing. Whatever hack is in progress would not be able to > count on a constant cfid and cftoken value after the initial read. I was more thinking "in process"-- all you need is one token, and then you submit it back before the "real" user does. Lot of work for not much difference. Might as well set the session timeout really really low or something, right? ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269971 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
On 2/15/07, Josh Nathanson <[EMAIL PROTECTED]> wrote: > Matt, can you explain exactly what the security issues are. By exposing the cfid and cftoken you are announcing to the world what your session identifier is. In turn you are giving someone the opportunity to more easily manipulate it. Sure someone can accept a cookie, read the value off the hard drive and then have the same info (I suppose you could make the read more difficult by not writing a cookie to disk and only using a session cookie) but by passing it via the url you are making the job as easy as possible for the attacker. Its only one thin layer on the onion, but I'd rather have that layer on along with every other one I can get my hands on. On 2/15/07, Dinner <[EMAIL PROTECTED]> wrote: > In theory, it's exactly the same thing as using tokens. So you > change it with every request-- you've still got to get the old token > in! Lots of added complexity for the same end result. Not the same thing. Whatever hack is in progress would not be able to count on a constant cfid and cftoken value after the initial read. Since it keeps changing the hack would have to adapt to this. The job would be more difficult but its certainly not going to solve the problem of exposing the key pair and make the app bulletproof, by any stretch. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269969 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
On 2/15/07, Matt Robertson <[EMAIL PROTECTED]> wrote: > His solution is ... well ... mind-boggling. In theory it should work. In theory, it's exactly the same thing as using tokens. So you change it with every request-- you've still got to get the old token in! Lots of added complexity for the same end result. Why not use your own token (thus avoiding same IP/etc. combos) and use some stuff to make sure it's the same IP with each request, etc., so it'll be a little bit protected from session stealing? Something along those lines perhaps... ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269967 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
> He's right... if you take the step of saying no cookies allowed you > have to pass the token around from link to link, exposing it via the > url and that is a security issue. Matt, can you explain exactly what the security issues are. Are you talking about sniffing it over the network (would https help that)? Wouldn't you have to have admin access to the server anyway to do anything with that information, in which case security is compromised already? I don't know much about security so I'm curious - I don't see exactly how having the session id alone would compromise security. -- Josh ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269966 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
good lord that sounds positively insane. He's right... if you take the step of saying no cookies allowed you have to pass the token around from link to link, exposing it via the url and that is a security issue. Caused by the draconian no cookie requirement but its an issue alright. And if its a B2B he may have a higher likelihood of users who are behind firewalls and sharing a single cookie and IP. So he may not be as insane as all that. His solution is ... well ... mind-boggling. In theory it should work. But holy crap talk about making things as difficult as possible. Lets reinvent the wheel and further specify that the wheel cannot simply be round, but rather must travel forward by folding space. Kind of an interesting brain teaser though. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269965 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
I've not quite got it figured out myself. But the cilent has a bit of experience with coldfusion, going back to CF1 and up to CF5.2. So he knows something of what he speaks, but his technical knowledge is dated. Anyway, he says there's a security issue with using a token throughout for a session, so each page view has to issue a new token, and expire the last one. SO i suppose that means in the applicatoin.cfc I have to add something like this (pseudo code) to the onrequeststart() method: gettoken() retrieve state from the database createUUID() set token to be the new UUID I'm not sure how to do it yet. I'm still trying to convince him to let me use client vars! Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On/16/07, Eric Haskins <[EMAIL PROTECTED]> wrote: > "And to add to the fun of it all, we have to have a > new session variable each page request." > > Can you explain this a bit?? What do you mean? > > > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269941 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Client variables? reliable enough?
This is absolutley true. There is a DB performance hit with using client vars. But, if your site is not a high volume site or if you are on a shared server with limited Ram, client cariables may be beneficial. ~Ché -Original Message- From: Eric Haskins [mailto:[EMAIL PROTECTED] Sent: Thursday, February 15, 2007 2:27 PM To: CF-Talk Subject: Re: Client variables? reliable enough? Coming over from php I have always used Session Vars to start off. I have uncovered issues with the Client Vars here in my current position. If you do high volume and have a large customer base you can experience a performance hit with Client Var lookups. Eric ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269940 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
"And to add to the fun of it all, we have to have a new session variable each page request." Can you explain this a bit?? What do you mean? ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269937 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
Coming over from php I have always used Session Vars to start off. I have uncovered issues with the Client Vars here in my current position. If you do high volume and have a large customer base you can experience a performance hit with Client Var lookups. Eric ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269935 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
I have never had to use URLSessionformat() before but it sounds like it's going to be very helpful in this case. Oh and this is a business-to-business shopping cart app, so we do have to maintain state. And to add to the fun of it all, we have to have a new session variable each page request. The server is going to have a lot of grunt and relatively low traffic, so i'm not too worried about dipping into the database every page but it would be better without. And having to wddx structs isnt much of a problem because i dont pass them from page to page much any more. Instead i use beans, which are even harder to pass through client vars. In fact i'd say they're pretty well impossible and will probably need to be persisted to the database and rebuilt each page view. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 2/16/07, Matt Robertson <[EMAIL PROTECTED]> wrote: > if you're bidding on a job he has just added a nice fat increase to > your bid expense. You will have to pass the key pair around for > everything. All cflocations, form posts, url links. The works. And > exposing the key pair has security implications that imho cannot be > overcome. You basically create an attack surface that otherwise > doesn't exist. > > urlsessionformat() is going to be your friend, sadly. > > As for client vars, I echo what was said with respect to the fact that > it works fine if you design your app to use it from scratch, and > realize its limitations (i.e. no structs unless you want to use cfwddx > to plug them in, which is crazy overhead). > > Cvars are the right tool for SOME jobs but not all of them. Every hit > to your server will generate a hit to your database as the lvisit and > hitcount vars are updated, at minimum. Fine if you plan for it and > know what you're getting into, but session vars are probably a better > option. Since the advent of CF MX I have tried to stay away from > cvars if I can and stick to session vars. > > -- > [EMAIL PROTECTED] > Janitor, The Robertson Team > mysecretbase.com > > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269933 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
if you're bidding on a job he has just added a nice fat increase to your bid expense. You will have to pass the key pair around for everything. All cflocations, form posts, url links. The works. And exposing the key pair has security implications that imho cannot be overcome. You basically create an attack surface that otherwise doesn't exist. urlsessionformat() is going to be your friend, sadly. As for client vars, I echo what was said with respect to the fact that it works fine if you design your app to use it from scratch, and realize its limitations (i.e. no structs unless you want to use cfwddx to plug them in, which is crazy overhead). Cvars are the right tool for SOME jobs but not all of them. Every hit to your server will generate a hit to your database as the lvisit and hitcount vars are updated, at minimum. Fine if you plan for it and know what you're getting into, but session vars are probably a better option. Since the advent of CF MX I have tried to stay away from cvars if I can and stick to session vars. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269928 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Client variables? reliable enough?
With no cookies then you'd never have a way of knowing if you have a returning user. Is he okay with that? Is he willing to sacrifice the convenience of his users for this insistence? Andy matthews -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 15, 2007 12:52 PM To: CF-Talk Subject: RE: Client variables? reliable enough? AFAIK, with NO cookies, you would need to pass the CFID and CFTOKEN in the URL for each request. -Original Message- From: Mike Kear [mailto:[EMAIL PROTECTED] Sent: Thursday, February 15, 2007 1:46 PM To: CF-Talk Subject: Re: Client variables? reliable enough? Still negotiating with my client about Clientvars. He's finally said this - what do you make of it [quote] I don't care too much about client vars and how they are implemented as long as there are NO COOKIES used. But be warned, if we have issues with the site in production, they will need to be fixed at your cost. [/quote] Well i dont have a problem with standing behind my own work . i'd expect to have to fix anythign that didnt work properly anyway. But what do you make of the insistence that there can't be any cookies? How do you maintain state, with NO cookies at all? surely as a minimum you have to have a session cookie, dont you? How else do you keep track of sessions? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 2/8/07, John Beynon <[EMAIL PROTECTED]> wrote: > i'm using client variables stored in cookies across two load balanced > boxes with dual cf instancesyet to see a problem - running like > this for 2 years! I don't see what the fuss is all about > > john. > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269927 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
You will have to pass them in the url, so every link would need to have CFID and CFTOKEN appended to it. It's a pain but it can be done. If your client wants to have no cookies set at all, even if the user accepts them, don't use URLSessionFormat: this will place a cookie if the user accepts them, or append the CFID/CFTOKEN/jsessionid if they don't. Too bad cookies got such a bad rap. The public at large is terrified of them. I'm sure your client probably has no idea what they are or how they work, and how helpful they can be for developers. -- Josh - Original Message - From: "Mike Kear" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Thursday, February 15, 2007 10:46 AM Subject: Re: Client variables? reliable enough? > Still negotiating with my client about Clientvars. He's finally said > this - what do you make of it > > [quote] > I don't care too much about client vars and how they are implemented > as long as there are NO COOKIES used. But be warned, if we have issues > with the site in production, they will need to be fixed at your cost. > [/quote] > > > Well i dont have a problem with standing behind my own work . i'd > expect to have to fix anythign that didnt work properly anyway. But > what do you make of the insistence that there can't be any cookies? > > How do you maintain state, with NO cookies at all? surely as a > minimum you have to have a session cookie, dont you? How else do you > keep track of sessions? > > Cheers > Mike Kear > Windsor, NSW, Australia > Adobe Certified Advanced ColdFusion Developer > AFP Webworks > http://afpwebworks.com > ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month > > > On 2/8/07, John Beynon <[EMAIL PROTECTED]> wrote: >> i'm using client variables stored in cookies across two load balanced >> boxes with dual cf instancesyet to see a problem - running like >> this for 2 years! I don't see what the fuss is all about >> >> john. >> > > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269926 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Client variables? reliable enough?
AFAIK, with NO cookies, you would need to pass the CFID and CFTOKEN in the URL for each request. -Original Message- From: Mike Kear [mailto:[EMAIL PROTECTED] Sent: Thursday, February 15, 2007 1:46 PM To: CF-Talk Subject: Re: Client variables? reliable enough? Still negotiating with my client about Clientvars. He's finally said this - what do you make of it [quote] I don't care too much about client vars and how they are implemented as long as there are NO COOKIES used. But be warned, if we have issues with the site in production, they will need to be fixed at your cost. [/quote] Well i dont have a problem with standing behind my own work . i'd expect to have to fix anythign that didnt work properly anyway. But what do you make of the insistence that there can't be any cookies? How do you maintain state, with NO cookies at all? surely as a minimum you have to have a session cookie, dont you? How else do you keep track of sessions? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 2/8/07, John Beynon <[EMAIL PROTECTED]> wrote: > i'm using client variables stored in cookies across two load balanced > boxes with dual cf instancesyet to see a problem - running like > this for 2 years! I don't see what the fuss is all about > > john. > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269924 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
Still negotiating with my client about Clientvars. He's finally said this - what do you make of it [quote] I don't care too much about client vars and how they are implemented as long as there are NO COOKIES used. But be warned, if we have issues with the site in production, they will need to be fixed at your cost. [/quote] Well i dont have a problem with standing behind my own work . i'd expect to have to fix anythign that didnt work properly anyway. But what do you make of the insistence that there can't be any cookies? How do you maintain state, with NO cookies at all? surely as a minimum you have to have a session cookie, dont you? How else do you keep track of sessions? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 2/8/07, John Beynon <[EMAIL PROTECTED]> wrote: > i'm using client variables stored in cookies across two load balanced > boxes with dual cf instancesyet to see a problem - running like > this for 2 years! I don't see what the fuss is all about > > john. > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269921 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Client variables? reliable enough?
i'm using client variables stored in cookies across two load balanced boxes with dual cf instancesyet to see a problem - running like this for 2 years! I don't see what the fuss is all about john. On 2/8/07, Mike Kear <[EMAIL PROTECTED]> wrote: > Neil, can you be a bit more specific please?What sort of issues do you > get with client vars? ( have to make a fundamentail architecture decision > in the next few days - whether or not to use client vars). I need to know > if the issues you had also apply in my situation. > > > Cheers > Mike Kear > Windsor, NSW, Australia > Adobe Certified Advanced ColdFusion Developer > AFP Webworks > http://afpwebworks.com > ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month > > > On 2/6/07, Robertson-Ravo, Neil (RX) <[EMAIL PROTECTED]> > wrote: > > > > << > if you > > store them in a DB, I would avoid them if you had the choice. > > > > As for no sticky sessions, that only leaves you session replication with > > ColdFusion under J2EE. > > > > > > > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269122 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
Neil, can you be a bit more specific please?What sort of issues do you get with client vars? ( have to make a fundamentail architecture decision in the next few days - whether or not to use client vars). I need to know if the issues you had also apply in my situation. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 2/6/07, Robertson-Ravo, Neil (RX) <[EMAIL PROTECTED]> wrote: > > << if you > store them in a DB, I would avoid them if you had the choice. > > As for no sticky sessions, that only leaves you session replication with > ColdFusion under J2EE. > > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269104 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Client variables? reliable enough?
> > What do you make of what the client said? Does it have any merit in > > current versions? Can anyone attest to reliability (or > > otherwise) of > > client vars in CF7? (I should also add there is no chance > > we're going to > > use the registry to store client vars - it's going to be in > > the database if we use them) > > > > My experience has always been bad, they are pretty clunky. > Even worse if you store them in a DB, I would avoid them if > you had the choice. > > As for no sticky sessions, that only leaves you session > replication with ColdFusion under J2EE. > I haven't used client vars in quite some time... No need. But when I did it was with a 4 server CF5 NLB array with an active/passive SQL2000 cluster. The CF machines had a separate SQL instance dedicated to client storage and to be honest, the only problem we had was dealing with the extra bandwidth that the back end needed when we got into the realms of 3000 simultaneous users... In the end, it wasn't the client var traffic that was causing the problem. We solved the bandwidth issue by moving the source code onto the web servers instead of them using the filestore server and used robocopy to keep them in sync... Nowadays I'd use SVN to deploy :) Once we had solved the bandwidth problems, everything was fine. We never had any issues at all with client storage but I will say this... We designed the app from the very beginning to use client storage. We didn't port the code from session etc. I think when you do the latter, you are asking for trouble... As long as you plan well and understand the limits of the client var scope then you should be fine. As an aside, watching SQL profiler do it's thing on a live database with 3000 users on the site is a great way to scare yourself! The speed of the transactions going through is something else! Paul ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:268780 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Client variables? reliable enough?
My experience has always been bad, they are pretty clunky. Even worse if you store them in a DB, I would avoid them if you had the choice. As for no sticky sessions, that only leaves you session replication with ColdFusion under J2EE. "This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions." Visit our website at http://www.reedexpo.com -Original Message- From: Mike Kear To: CF-Talk Sent: Tue Feb 06 06:50:37 2007 Subject: Client variables? reliable enough? I sat in a client briefing yesterday, and he said something that made me sit up and take notice,could he be right? I havent used Client variables since CF5, so I dont know if they are good now or not, but i didnt have a problem back in the CF5 days but here's what my client said (he has a lot of experience with CF going back to CF1, but he hasnt done much CF coding since CF5.1) He said, "dont use client variables, because they seem ok but in practice they always cause problems.I want you to write your own state maintenance stuff. I don't want you to use sticky sessions either because if a server goes down the other machine doesnt know the state." The environment is going to be two or three servers running CF7 enterprise, not sure if we're going Linux or Windows yet. What do you make of what the client said? Does it have any merit in current versions? Can anyone attest to reliability (or otherwise) of client vars in CF7? (I should also add there is no chance we're going to use the registry to store client vars - it's going to be in the database if we use them) -- Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:268778 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
