[nycphp-talk] ColdFusion Question
nyphp at NewAgeWeb.com
Thu Feb 20 11:40:41 EST 2003
I may be paranoid, but I'd use a different approach (IMO more secure).
When a user logs on to the ColdFusion server generate a unique ID - session
id or something to that effect. Store it in a database with the username,
User-Agent string, and the IP address of the client. Of course that row
should be deleted when the user logs out or expired after X minutes of
inactivity. Next write a small CF script (check.cfm) that will respond only
to requests sent from the IP address matching your Linux/PHP server. This
script would take the said unique ID as a GET var and echo the associated
username, User-Agent string, and the IP address from the database.
Now when you redirect the user from the CF app to your PHP add it would be
done with a link like this one:
Your verify.php would issue a request including the ID as a GET var (using
fopen) to check.cfm on your IIS/CF server. check.cfm would query the
database for the username, User-Agent string, and the IP address associated
with the ID and echo the results. The output would be captured and parsed by
verify.php. If the returned User-Agent and IP address match
$_SERVER['HTTP_USER_AGENT'] and $_SERVER['REMOTE_ADDR'], a PHP session is
established and the returned username is stored as a session var .. and life
Of course you may apply encoding/encryption on top of that.
42.7% of all statistics are made up on the spot.
From: Hans Zaunere <hans at nyphp.org>
To: NYPHP Talk <talk at nyphp.org>
Date: Thursday, February 20, 2003 9:22 AM
Subject: [nycphp-talk] ColdFusion Question
>OK, no comments please :)
>I'm now incharge of CF development, and while things have been moving
>there's one issue I can't seem to get past easily.
>Basically there is a CF app on IIS under Windows 2000 with a login process
>that I have no control over, nor access to. My only ability is to place a
>link on the protected CF page that will bring the user to a PHP app on a
>Linux server across campus, which also needs to know who the user is.
>The most obvious way to do this is to create the link in the CF app to
>contain a GET variable with the username in it. OK fine, this would work,
>albeit weak. Of course, we're dealing with computer illiterate medical
>students, so 9 times out of 10 this would suffice.
>Yet, it scares me, so I want to add a couple additional checks. Basically
>question is, how could I get a MAC address, CPU ID, or some other
>tag (not IP) from the IIS server, which I would then pass in the URL to my
>Additionally, to keep the pesky students in check, I'd like to encode the
>information so it becomes less obvious to them what we're doing. Ideally,
>I'd like PHP's base64_encode() functionality. Also, does ColdFusion have
>anything like PHP's serialize() ?
>Security through obscurity, gotta love it. Other ideas are welcome, but we
>are dealing with a considerably limited environment. And CF code examples
>would be greatly appreciated :)
>--- Unsubscribe at http://nyphp.org/list/ ---
More information about the talk