[nycphp-talk] ColdFusion Question
nyphp at NewAgeWeb.com
Thu Feb 20 12:02:57 EST 2003
I meant to say "PHP app" not "PHP add" :)
42.7% of all statistics are made up on the spot.
From: Jerry Kapron <nyphp at newageweb.com>
To: NYPHP Talk <talk at nyphp.org>
Date: Thursday, February 20, 2003 11:40 AM
Subject: Re: [nycphp-talk] ColdFusion Question
>I may be paranoid, but I'd use a different approach (IMO more secure).
>When a user logs on to the ColdFusion server generate a unique ID - session
>id or something to that effect. Store it in a database with the username,
>User-Agent string, and the IP address of the client. Of course that row
>should be deleted when the user logs out or expired after X minutes of
>inactivity. Next write a small CF script (check.cfm) that will respond only
>to requests sent from the IP address matching your Linux/PHP server. This
>script would take the said unique ID as a GET var and echo the associated
>username, User-Agent string, and the IP address from the database.
>Now when you redirect the user from the CF app to your PHP add it would be
>done with a link like this one:
>Your verify.php would issue a request including the ID as a GET var (using
>fopen) to check.cfm on your IIS/CF server. check.cfm would query the
>database for the username, User-Agent string, and the IP address associated
>with the ID and echo the results. The output would be captured and parsed
>verify.php. If the returned User-Agent and IP address match
>$_SERVER['HTTP_USER_AGENT'] and $_SERVER['REMOTE_ADDR'], a PHP session is
>established and the returned username is stored as a session var .. and
>Of course you may apply encoding/encryption on top of that.
>42.7% of all statistics are made up on the spot.
>From: Hans Zaunere <hans at nyphp.org>
>To: NYPHP Talk <talk at nyphp.org>
>Date: Thursday, February 20, 2003 9:22 AM
>Subject: [nycphp-talk] ColdFusion Question
>>OK, no comments please :)
>>I'm now incharge of CF development, and while things have been moving
>>there's one issue I can't seem to get past easily.
>>Basically there is a CF app on IIS under Windows 2000 with a login process
>>that I have no control over, nor access to. My only ability is to place a
>>link on the protected CF page that will bring the user to a PHP app on a
>>Linux server across campus, which also needs to know who the user is.
>>The most obvious way to do this is to create the link in the CF app to
>>contain a GET variable with the username in it. OK fine, this would work,
>>albeit weak. Of course, we're dealing with computer illiterate medical
>>students, so 9 times out of 10 this would suffice.
>>Yet, it scares me, so I want to add a couple additional checks. Basically
>>question is, how could I get a MAC address, CPU ID, or some other
>>tag (not IP) from the IIS server, which I would then pass in the URL to my
>>Additionally, to keep the pesky students in check, I'd like to encode the
>>information so it becomes less obvious to them what we're doing. Ideally,
>>I'd like PHP's base64_encode() functionality. Also, does ColdFusion have
>>anything like PHP's serialize() ?
>>Security through obscurity, gotta love it. Other ideas are welcome, but
>>are dealing with a considerably limited environment. And CF code examples
>>would be greatly appreciated :)
>--- Unsubscribe at http://nyphp.org/list/ ---
More information about the talk