NYCPHP Meetup

[Jerry Kapron]

I meant to say "PHP app" not "PHP add"  :)

Jerry

--
42.7% of all statistics are made up on the spot.

-----Original Message-----
From: Jerry Kapron <nyphp at newageweb.com>
To: NYPHP Talk <talk at nyphp.org>
Date: Thursday, February 20, 2003 11:40 AM
Subject: Re: [nycphp-talk] ColdFusion Question


>Hans,
>I may be paranoid, but I'd use a different approach (IMO more secure).
>When a user logs on to the ColdFusion server generate a unique ID - session
>id or something to that effect. Store it in a database with the username,
>User-Agent string, and the IP address of the client. Of course that row
>should be deleted when the user logs out or expired after X minutes of
>inactivity. Next write a small CF script (check.cfm) that will respond only
>to requests sent from the IP address matching your Linux/PHP server. This
>script would take the said unique ID as a GET var and echo the associated
>username, User-Agent string, and the IP address from the database.
>Now when you redirect the user from the CF app to your PHP add it would be
>done with a link like this one:
>http://linux.server/verify.php?id=737b8a3cfa90cda3bc
>
>Your verify.php would issue a request including the ID as a GET var (using
>fopen) to check.cfm on your IIS/CF server. check.cfm would query the
>database for the username, User-Agent string, and the IP address associated
>with the ID and echo the results. The output would be captured and parsed
by
>verify.php. If the returned User-Agent and IP address match
>$_SERVER['HTTP_USER_AGENT'] and $_SERVER['REMOTE_ADDR'], a PHP session is
>established and the returned username is stored as a session var .. and
life
>is good.
>Of course you may apply encoding/encryption on top of that.
>
>Jerry
>
>
>--
>42.7% of all statistics are made up on the spot.
>
>-----Original Message-----
>From: Hans Zaunere <hans at nyphp.org>
>To: NYPHP Talk <talk at nyphp.org>
>Date: Thursday, February 20, 2003 9:22 AM
>Subject: [nycphp-talk] ColdFusion Question
>
>
>>
>>OK, no comments please  :)
>>
>>I'm now incharge of CF development, and while things have been moving
>"well"
>>there's one issue I can't seem to get past easily.
>>
>>Basically there is a CF app on IIS under Windows 2000 with a login process
>>that I have no control over, nor access to.  My only ability is to place a
>>link on the protected CF page that will bring the user to a PHP app on a
>>Linux server across campus, which also needs to know who the user is.
>>
>>The most obvious way to do this is to create the link in the CF app to
>>contain a GET variable with the username in it.  OK fine, this would work,
>>albeit weak.  Of course, we're dealing with computer illiterate medical
>>students, so 9 times out of 10 this would suffice.
>>
>>Yet, it scares me, so I want to add a couple additional checks.  Basically
>my
>>question is, how could I get a MAC address, CPU ID, or some other
>identifying
>>tag (not IP) from the IIS server, which I would then pass in the URL to my
>>application.
>>
>>Additionally, to keep the pesky students in check, I'd like to encode the
>>information so it becomes less obvious to them what we're doing.  Ideally,
>>I'd like PHP's base64_encode() functionality.  Also, does ColdFusion have
>>anything like PHP's serialize() ?
>>
>>Security through obscurity, gotta love it.  Other ideas are welcome, but
we
>>are dealing with a considerably limited environment.  And CF code examples
>>would be greatly appreciated  :)
>>
>>Thank you,
>>
>>H
>>
>>
>>
>>
>>
>
>
>
>--- Unsubscribe at http://nyphp.org/list/ ---
>
>