All you need is a decent cftoken. Do the reg hack (that's for you Windows folks) to add in the UuidToken = 1 key to HKEY_LOCAL_MACHINE\Allaire\ColdFusing\CurrentVersion\Clients. Then if you are using db-driven client vars, manually change the size of the CFID fields in the client variable database to 50, and yer set. Now your clients get a UUID for their CFTOKEN.

You've got a good key for each client, so why would you need to pass anything back to 'em? Performance? Feh. Go for security. Remember the correction officer's mantra, "Security is not Convenient".

> -----Original Message----- > From: Nat Papovich [SMTP:nat@webthugs.com] > Sent: Monday, May 07, 2001 6:52 AM > To: Fusebox > Subject: RE: Managing program flow > > Right, but I would argue that it is safe to store only the productID, not > the price, and calculate the price each time the display of it is needed > by > hitting the DB. Passing checkout information in hidden form fields CAN be > secure, as long as you pass insecure data, not things like CC info, price, > tax info, etc. > > NAT > > > -----Original Message----- > > From: amittalwar@intellikaps.com [mailto:amittalwar@intellikaps.com] > > Sent: Monday, May 07, 2001 4:46 AM > > To: Fusebox > > Subject: RE: Managing program flow > > > > > > That wasn't my point. My point was the concept rather than the > > impementation > > attribute. > > Check out www.bratcatalog.com > > they do use hidden fields to store data and not at all secure. > > Amit Talwar > > Intellikaps > > > > -----Original Message----- > > From: Nat Papovich [mailto:nat@webthugs.com] > > Sent: Monday, May 07, 2001 9:52 AM > > To: Fusebox > > Subject: RE: Managing program flow > > > > > > Erik is smart enough to either not store price info in a form field or > to > > check that price matches price for productID on order submission. > > > > > -----Original Message----- > > > From: BORKMAN Lee [mailto:lee_Borkman@rta.nsw.gov.au] > > > Sent: Sunday, May 06, 2001 6:11 PM > > > To: Fusebox > > > Subject: RE: Managing program flow > > > > > > > > > Yes, but you can possibly live with hidden fields as long as you > always > > > check for a trusted referer. > > > > > > -----Original Message----- > > > From: amittalwar@intellikaps.com [mailto:amittalwar@intellikaps.com] > > > > > > > > > Hi, > > > Well Erik It is Absoloutely going cause security hazards if you > > are using > > > hidden varables in your page. > > > > > > Conside this, for example you store price of a product as a hidden > > > variable. Now if the users saves the page to his system and reduces > the > > > price and then submits the page you will never know that the price is > > > correct or incorrect as there will be no cross check with the > > price in the > > > database. > > > > > > > > > IMPORTANT NOTICE: > > > This e-mail and any attachment to it is intended only to be read > > > or used by > > > the named addressee. It is confidential and may contain legally > > > privileged > > > information. No confidentiality or privilege is waived or lost by any > > > mistaken transmission to you. If you receive this e-mail in > > error, please > > > immediately delete it from your system and notify the sender. > > > You must not > > > disclose, copy or use any part of this e-mail if you are not > > the intended > > > recipient. The RTA is not responsible for any unauthorised > > alterations to > > > this e-mail or attachment to it. > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/fusebox@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists