RE: changing CFID/CFTOKEN
I'm using ColdFusion client variables and would like to have the CFID/CFTOKEN values change periodically during a user session in order to reduce the chances that, if they were intercepted, they could be used to impersonate a user. Has anyone figured out a way to do that? That seems like it would be extremely susceptible to breakage, although it's possibly achievable by simply changing the values in your Client database and resetting the cookies at the same time. I haven't tried this, though, and it's possible that CF keeps the values internally, as well as writing them to the tables, in which case it probably wouldn't work. You could roll your own Client variables by simply handling the token generation yourself, and fetching the variables from the database on each page, which is all that CF does, really. Even if you did all this, it wouldn't absolutely prevent impersonation, since at some point, these values would have to travel back and forth across the wire, and any interception could then make use of them. All this would do, I think, is limit the window of vulnerability somewhat. On the other hand, you might just use SSL to prevent interception, instead. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Why Share? Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
changing CFID/CFTOKEN
I'm using ColdFusion client variables and would like to have the CFID/CFTOKEN values change periodically during a user session in order to reduce the chances that, if they were intercepted, they could be used to impersonate a user. Has anyone figured out a way to do that? thanks Martin Herbener __ Why Share? Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: changing CFID/CFTOKEN
No way. CFID/CFTOKEN is how CF manages sessions. You can change your setup to use GUID's, which will provide an added layer of obscurity to the CFID/CFTOKEN. Or you could roll your own session state, but this introduces it's own complexities. - Original Message - From: Herbener, Martin - School Information Technology [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, January 24, 2002 11:17 AM Subject: changing CFID/CFTOKEN I'm using ColdFusion client variables and would like to have the CFID/CFTOKEN values change periodically during a user session in order to reduce the chances that, if they were intercepted, they could be used to impersonate a user. Has anyone figured out a way to do that? thanks Martin Herbener __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
