NYCPHP Meetup

[nycphp-talk] ColdFusion Question

Daniel Kushner nyphp at websapp.com
Thu Feb 20 09:33:32 EST 2003


Hans,

I didn't get to my second cup of coffee yet, so please excuse me if I'm off track.

If you want to make sure that GET variables are not tampered with on their journey across the network, you can MD5 them
with a magic key and then the keys integrity on the receiving side.

For example, if you want to pass ?name=hans
do something like $key = md5('this_is_a_magic_key'.'hans')
and then pass: ?name=hans&key=$key

Remember, that the name/key pair will always match! Using a time based key would be even more secure, or a pseudo random
key that each key in the set can only be used once, even better!!

Okay, where's my coffee?

--Daniel



> -----Original Message-----
> From: Hans Zaunere [mailto:hans at nyphp.org]
> Sent: Thursday, February 20, 2003 9:22 AM
> To: NYPHP Talk
> Subject: [nycphp-talk] ColdFusion Question
>
>
>
> OK, no comments please  :)
>
> I'm now incharge of CF development, and while things have been moving "well"
> there's one issue I can't seem to get past easily.
>
> Basically there is a CF app on IIS under Windows 2000 with a login process
> that I have no control over, nor access to.  My only ability is to place a
> link on the protected CF page that will bring the user to a PHP app on a
> Linux server across campus, which also needs to know who the user is.
>
> The most obvious way to do this is to create the link in the CF app to
> contain a GET variable with the username in it.  OK fine, this would work,
> albeit weak.  Of course, we're dealing with computer illiterate medical
> students, so 9 times out of 10 this would suffice.
>
> Yet, it scares me, so I want to add a couple additional checks.  Basically my
> question is, how could I get a MAC address, CPU ID, or some other identifying
> tag (not IP) from the IIS server, which I would then pass in the URL to my
> application.
>
> Additionally, to keep the pesky students in check, I'd like to encode the
> information so it becomes less obvious to them what we're doing.  Ideally,
> I'd like PHP's base64_encode() functionality.  Also, does ColdFusion have
> anything like PHP's serialize() ?
>
> Security through obscurity, gotta love it.  Other ideas are welcome, but we
> are dealing with a considerably limited environment.  And CF code examples
> would be greatly appreciated  :)
>
> Thank you,
>
> H
>
>
> --- Unsubscribe at http://nyphp.org/list/ ---
>




More information about the talk mailing list