heh I wonder if the bolt codename is a throwback to the old allaire CF
logo... since adobe is going crazy with the whole elements thing maybe
they will bring back the lightning bolt.
On Wed, Dec 17, 2008 at 1:18 PM, Douglas Knudsen
douglasknud...@gmail.comwrote:
Thought I'd pass along a quick
Something to understand is that action pages are not the only pages that can
be exploited or part of an exploit.
From: Gerry Gurevich gerry.gurev...@gmail.com
To: discussion@acfug.org
Sent: Thursday, December 18, 2008 8:39:21 AM
Subject: Re: [ACFUG Discuss]
Hey Everyone,
I am currently in the process of building my first secured site. Most pages
of the site will be behind a login page. I'm using ColdFusion's
Application.cfc onRequestStart function to check if a user is logged in or
not. Thats pretty much boiler plate.
My concern is how to
For things like that I normally store them outside the webroot and then serve
them via a cfcontent in a cfm script. Instead of a link like
http://mysite/mypdf.pdf it would be http://mysite/getfile.cfm?var=myfile.pdf.
That is very oversimplified, but captures the approach.
so, Bolt the codename and later the official name is HomeSite with element
Hs ??? hehe
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?
On Thu, Dec 18, 2008 at 9:10 AM, Steve Ross nowhid...@gmail.com wrote:
heh I wonder if the bolt codename is a throwback to the
Interesting and good to hear from you Teddy! I run Eclipse 3.4 Ganymede
(JEE package) these days and had no issue with the update. Have to be
careful updating the SDKs I found though. Since FB introduced multiple SDK
support, its a good idea to keep a separate install of each SDK release.
You
How does that work when you are serving a direct like to a PDF or a DOC? CF has
nothing to do with that.
From the original email:
My concern is how to prevent an non authorized user from
accessing or hotlinking to non ColdFusion page. (i.e, images, pdfs, swfs, .txt
etc).
On Thu, Dec 18, 2008 at 10:18 AM, shawn gorrell chees...@yahoo.com wrote:
Something to understand is that action pages are not the only pages that
can be exploited or part of an exploit.
Frinstance?
Suppose I have a page that lists all of my users.
OP never used the word authentication. From wikipedia: authorization is the
concept of allowing access to resources only to those permitted to use them.
Seems to me he used the term properly.
/m
: Emile,
: From your description, you really need to define what authorized and not
: authorized
Mischa,
Yes, but as you can see from Shawn's comment that Shawn was approaching the
topic from the point of authorization. From the response by Troy, this
leads to authentication.
So, his usage of diction or use of the word is indeed correct, but not
everyone interpreted it that way as it still
That isn't the function of sandboxes.
Here is a code sample of my previously described approach. It is primitive, but
solves what you're trying to solve. Whatever directory your asset files live in
should be set to no web access. CF will be able to get the files, but a web
browser could not.
Hey Teddy,
That is by far great advice on how to tackle scalability, it make sense.
There maybe situations where this may not be a good tatic such as when a one
to one connection between a pdf and the user account that owns it is
required.
However, I'd admit I would have overlooked that
Emile,
I'll send you my Adobe Max presentation on this very topic
(authorization), specifically addressing the different attack patterns
and high level solutions appropriate for any language, though the
examples are CF-specific. It may take me a day or so until I get back
to work and
Emile, the sandbox features are for protecting what files/dirs a CFML app
can access. It's intended to be used on a server where different developers
of different apps (on the same box) should not be able to access each
other's files, or files outside their purview. BTW, it's called Sandbox
Emile, if your site is running on IIS, another idea would be to use the .NET
framework to secure the directories. You can find discussions in various
.net articles/books/blogs. Here's one simplistic discussion from MS:
http://support.microsoft.com/kb/893662
People don't tend to think of this
15 matches
Mail list logo