?
Solved

Coldfusion security

Posted on 2010-11-25
10
Medium Priority
?
333 Views
Last Modified: 2012-06-27
Hello experts.
This question is for coldfusion security.
I have to prefer  <cflocation addtoken="yes"... with setclientcookies="no" in cfapplication
for more security?
If i make this change  will i have problems?
I'm asking because i'm using now the opposed:
<cflocation addtoken="no"... with setclientcookies="yes" in cfapplication
0
Comment
Question by:Panos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 14

Assisted Solution

by:RickEpnet
RickEpnet earned 600 total points
ID: 34214184
Well think about this for a sec. If you use addtoken="YES" ok so now you do not have to have the token in a cookie but you have stuck it out in the open in the URL.

Maybe I am missing something as to what you are doing or trying to do??
0
 
LVL 2

Author Comment

by:Panos
ID: 34214266
Hi RickEpnet.
It is general question.Do or not use addtoken="YES".I read in a forum that it is safer to use YES instead of having the token in a cookie.So i want to know the opinion of the experts here.
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 34214644
Can you point me to the forum so I can see the context.

So in this case you would run cookieless site right?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 2

Author Comment

by:Panos
ID: 34215202
Hi again.
Here the link of a ppt file:
www.cfconf.org/denvercf/talks/cf_code_security.ppt
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 1400 total points
ID: 34215307
Going by the references to allaire and macromedia that presentation is outdated, circa 2002.

If delete/insert/update pages are refreshed, or other action pages, problems occur – hacker sees error message.
-Immediately <CFLOCATION> after one of these actions to avoid this
-Use the addtoken=“yes” parameter to keep any session changes across pages

When they talk about addToken="yes",  they're talking about an old issue with session variables and cflocation that's generally not a problem anymore.  If you read the full KB entry notice it states that using addToken="yes" is actually a security risk.

...you should be aware that passing CFID and CFToken as URL parameters can be a security risk.

These days most people recommend *not* using addToken. Also, the default CFID/CFTOKEN are more easily guessable than other options. Using the UUID or J2EE session management settings is considered more secure.


0
 
LVL 2

Author Closing Comment

by:Panos
ID: 34215867
Thank you very much for your help.
Here is another problem i have :http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/Cold_Fusion_Markup_Language/Q_26636239.html
Can you help me?


regards
Panos
0
 
LVL 52

Expert Comment

by:_agx_
ID: 34215889
Sorry, I was just heading to sleep.  I'd have to think about that one.  When my brain's not so tired ;-)
0
 
LVL 52

Expert Comment

by:_agx_
ID: 34215894
Btw: Don't know if you're in the US, but Thur/Fri are a holiday for most people.  That's probably why responses are slow.
0
 
LVL 2

Author Comment

by:Panos
ID: 34216756
OK
I hope you will find some time to look at this question.
There are too many things in the net but not a complete solution that could cover everything.
i'm not in US but in EU and when i wake up you go to sleep.HAHA....
0
 
LVL 52

Expert Comment

by:_agx_
ID: 34220095
There are too many things in the net but not a complete solution that could cover everything.

That's because there isn't 1 complete solution. Unfortunately, there are different types of threats, and new ones uncovered frequently. Each requires different ways to defend against them.  Security is too important. That's why I didn't rush in and say "sure. you can fix everything just by doing (something)".  Anyone that says that is either misinformed or .. just plain lying ;-)  

i'm not in US but in EU and when i wake up you go to sleep.HAHA....

Haha, I figured.  
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PROBLEM:  How to open a cfwindow or run a function on double click of a cfgrid row. One of my clients wanted to be able to double click on a row item to get more detailed information about a transaction and to be able to modify the line items i…
Recently while working on a project I got a very annoying cfdocument has no body error message. I had never seen this error before. So I checked the code. The code was pretty simple; it was Just showing me the cfdocumnt tag and inside that tag a …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question