hi all. i have a site which i expect will get a bit of traffic and im looking at using cfcookie rather than session variables to track my logged in users. my only question is.. lets say someone logs in OK.. i get their memberID from the database, for example: 1050. i set this in the cookie ie, <cfcookie name="themember" value="1050">. whats to someone from going into the cookie on their machine, finding their user id and changing it to something else? and then seeing information on my site for that other member!! ??
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
cfcookie security question
- Thread starter hc1619
- Start date
You can hash the password in another cookie and in your pages compare hash..
When you store the id..
<cfcookie name="mid" value="#mem.mid#" expires="1">
(or however the code looks)
Hash the password
<cfcookie name="mpass" value="#hash(mem.pword)#" expires="1">
And then do a database comparison on member pages...
ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
When you store the id..
<cfcookie name="mid" value="#mem.mid#" expires="1">
(or however the code looks)
Hash the password
<cfcookie name="mpass" value="#hash(mem.pword)#" expires="1">
And then do a database comparison on member pages...
ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
- Thread starter
- #3
You know what might be really good? Hash the userID * a certain number or something...
You could even periodically change the number or pull it from the ip address... This could be really creative.
<cfcookie name="mid" value="#hash(mem.pword)#" expires="1">
<cfif cgi.remote_addr is not "">
<cfcookie name="midh" value="#hash(evaluate(userID * listfirst(cgi.remote_addr,".")))#" expires="1">
<cfelse>
<cfcookie name="midh" value="#hash(evaluate(userID * 216))#" expires="1">
</cfif>
Because things cannot be unhash'd.. You have to know the value but if your hashing by a certain formula, it still proves useful...
ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
You could even periodically change the number or pull it from the ip address... This could be really creative.
<cfcookie name="mid" value="#hash(mem.pword)#" expires="1">
<cfif cgi.remote_addr is not "">
<cfcookie name="midh" value="#hash(evaluate(userID * listfirst(cgi.remote_addr,".")))#" expires="1">
<cfelse>
<cfcookie name="midh" value="#hash(evaluate(userID * 216))#" expires="1">
</cfif>
Because things cannot be unhash'd.. You have to know the value but if your hashing by a certain formula, it still proves useful...
ALFII.com
---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.
- Status
