How to Obfuscate an AES Key via URL in Coldfusion.
I realize this isn't the best practice for encryption but I need to be able to obfuscate (hide it) an encryption key and send it through a URL variable. Then on the next page reveal it and use it for decryption.
This must be done reliably to where the encryption/decryption process is not messed up by the obfuscation method.
I tried creating a simple string manipulation cypher but that caused the encryption to not work reliably.
I"m using Coldfusion 9 and using AES Encryption.
I have to persist the key variable from the GenerateSecretKey function to the next page and I can't use Session or Application scopes. I don't want to send the encryption key via URL in it's true state so it must be obfuscated somehow.
Does anybody have any suggestions on how I can hide the key and still have it work correctly?
This must be done reliably to where the encryption/decryption process is not messed up by the obfuscation method.
I tried creating a simple string manipulation cypher but that caused the encryption to not work reliably.
I"m using Coldfusion 9 and using AES Encryption.
I have to persist the key variable from the GenerateSecretKey function to the next page and I can't use Session or Application scopes. I don't want to send the encryption key via URL in it's true state so it must be obfuscated somehow.
Does anybody have any suggestions on how I can hide the key and still have it work correctly?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
_agx_
Good question. I'm sure you know passing it through the url is ... an invitation to problems. Security only works if other people don't have a key to your front door :) Once they do, it's open season for thieves.
ASKER
@gdemaria - Yes, I guess I could try to encrypt with CFMX_COMPAT and then again with AES. I'll see if that works.
The reason I need to do it like this is because I'm opening up a window using ColdFusion.Window.create and using a fusebox like framework that is supposed to send the page through a main circut but I'm using a direct path in the URL parameter of the create method. So when I retrieve the page it doesn't run through application.cfm and no session or application variables are set.
I tried changing the URL path so that it does go through the main cirucit. Doing it that way does give me the session and application variables I need but then I encounter another problem when I try to submit a cfform in the pop up window.
So I'm stuck with having to pass everything through the URL. Bleh...
@agx - I hear ya. That's why I'm trying to hide my keys.
@both
The simple cyper I created should have worked but for some reason the AES encryption started messing up when decrpting. That's why I'm hesitant about jacking with the key so much although I see no way around it.
The reason I need to do it like this is because I'm opening up a window using ColdFusion.Window.create and using a fusebox like framework that is supposed to send the page through a main circut but I'm using a direct path in the URL parameter of the create method. So when I retrieve the page it doesn't run through application.cfm and no session or application variables are set.
I tried changing the URL path so that it does go through the main cirucit. Doing it that way does give me the session and application variables I need but then I encounter another problem when I try to submit a cfform in the pop up window.
So I'm stuck with having to pass everything through the URL. Bleh...
@agx - I hear ya. That's why I'm trying to hide my keys.
@both
The simple cyper I created should have worked but for some reason the AES encryption started messing up when decrpting. That's why I'm hesitant about jacking with the key so much although I see no way around it.
ASKER
Well I'm getting mixed results.
Most of the time it is okay but I encountered an issue that when the encrypted string in the database had a plus sigh '+' then the decrypted string put in an empty space instead so it did not find my record.
Strange.
It works most of the time but most of the time is not good enough.
Most of the time it is okay but I encountered an issue that when the encrypted string in the database had a plus sigh '+' then the decrypted string put in an empty space instead so it did not find my record.
Strange.
It works most of the time but most of the time is not good enough.
To me, the problem we should focus on is the lack of session management inside your Coldfusion window... I do that all the time and session variables absolutely exist within a CFwindow..
Is your application.cfc file in your root (top) folder? Is the window you are creating calling a template within the root directory structure?
... it shouldn't matter that you are using a fusebox framework and not going through the index file.. that should not be a problem.
Is your application.cfc file in your root (top) folder? Is the window you are creating calling a template within the root directory structure?
... it shouldn't matter that you are using a fusebox framework and not going through the index file.. that should not be a problem.
About CFMX_COMPAT, I wouldn't bother with that algorithm. It's very insecure easy to crack (just do a search). It's only included in later versions for backward compatibility.
I agree you should focus on the real problem - application/session management. I use it that way too, and it shouldn't be an issue.
I agree you should focus on the real problem - application/session management. I use it that way too, and it shouldn't be an issue.
ASKER
Yes, I would prefer to be able to use the session and application scope as well but I just can't figure out what the issue is. I thought that since the framework requires going through index and since calling the pop up window is done asyncronously that was the reason the session and app variables were not being created.
If I could get this to work properly that would be great. Okay so let's give it a shot.
The directory structure uses Appliation cfm that does all the regular stuff nothing exceptional there.
There is an index.cfm page that has a bunch of case statements to display the different templates.
The product listing page where I'm calling the pop up window is on the same directory as the pop up window content page.
MainAppFolder
|
--- folder A
| |
| product list.cfm
| windowContent.cfm
|
|
---- folder B
|
Application.cfm
INDEX.cfm
When I try to call the windowContent.cfm page from the productList.cfm page by directly referencing it like:
onclick="ColdFusion.Window
So it's looking for WindowContent in the folder that contains the application.cfm file. Note that INDEX.cfm has all the case statements and sends all of the templates to FolderA for processing.
The way I'm calling the pop up window is:
Doing it that way will access the pop up window but it will not have session variables available.
in order to get the session and application scope working I have to call the window like this:
onclick="ColdFusion.Window
That will work but my window content page uses a cfform that will not work. The window conains two buttons one labled Yes and one Labled No. Selecting Yes will delete a record. Selecting no will close the pop up window.
If you press the yes button (submit button on the cfform) then it just closes the pop up window without doing any of the form processing.
So that's the situation.
Any thoughts?
If I could get this to work properly that would be great. Okay so let's give it a shot.
The directory structure uses Appliation cfm that does all the regular stuff nothing exceptional there.
There is an index.cfm page that has a bunch of case statements to display the different templates.
The product listing page where I'm calling the pop up window is on the same directory as the pop up window content page.
MainAppFolder
|
--- folder A
| |
| product list.cfm
| windowContent.cfm
|
|
---- folder B
|
Application.cfm
INDEX.cfm
When I try to call the windowContent.cfm page from the productList.cfm page by directly referencing it like:
onclick="ColdFusion.Window
So it's looking for WindowContent in the folder that contains the application.cfm file. Note that INDEX.cfm has all the case statements and sends all of the templates to FolderA for processing.
The way I'm calling the pop up window is:
onclick="ColdFusion.Window.create('popWindow#productid#','Alert!','/MainAppFolder/FolderA/WindowContent.cfm?Doing it that way will access the pop up window but it will not have session variables available.
in order to get the session and application scope working I have to call the window like this:
onclick="ColdFusion.Window
That will work but my window content page uses a cfform that will not work. The window conains two buttons one labled Yes and one Labled No. Selecting Yes will delete a record. Selecting no will close the pop up window.
If you press the yes button (submit button on the cfform) then it just closes the pop up window without doing any of the form processing.
So that's the situation.
Any thoughts?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
.. and as a general rule, the application.cfm file always goes in the root folder of your application. That way it will be involved in every page request of your application
ASKER
Thank you that does work.
I moved the application.cfm file up 1 leve and now I'm getting the session vars on the pop up window.
Is there some special security reasons why the app would be set up like this in the first place.
The framework was set up by some high dollar consultants from Adobe and they had security as a top priority.
I'm going to split points on this one.
I moved the application.cfm file up 1 leve and now I'm getting the session vars on the pop up window.
Is there some special security reasons why the app would be set up like this in the first place.
The framework was set up by some high dollar consultants from Adobe and they had security as a top priority.
I'm going to split points on this one.
I can't think of any security benefit to having the application file in a subfolder.. unless the folder evolved over time and originally it didn't have any code in it or wasn't under the web root or something...
ASKER
Thank you.