Page 2 - non-SSL -> SSL page variable transfer? + your CF webhost?

Dev Shed Forums Sponsor:

#16

January 17th, 2004, 03:49 PM

vinyl

Contributing User

Join Date: Oct 2003

Posts: 236

Time spent in forums: 1 h 46 m 21 sec
Reputation Power: 5

Quote:

Originally posted by kiteless
The session may be blanked if you rely on cookies to keep track of the cfid and cftoken/jsessionid. This is because cookies are domain specific. However if you pass the identifiers in the URL or form when you switch to SSL it should keep your session. I haven't used SSL in shared environments so this is all a guess but I see no reason why it wouldn't work.

I want to use session arrays to store and transfer data, not forms or URL transfer - I must write & read from sessions (SESSIONMANAGEMENT enabled in Application.cfm) - main point of sessions would be to prefill form on a secured page and that's why I need to find a way to store data and then read it and prefill the form. I don't want to use Access to store, although I could maybe, but I like sessions, they seems to be quick and effective

Quote:

kiteless, again
If you can't provide similar expertise, then don't store that card number in a database, email or anywhere else.

I must because there is no checkout, it's done manually - can you please suggest me best possible way to keep them secure - I have no Amazon's team, there are only me and myself

Thanks!

#17

January 19th, 2004, 01:16 PM

kiteless

Moderator

Join Date: Jun 2002

Location: Raleigh, NC

Posts: 3,681

Time spent in forums: 1 Week 4 Days 15 h 22 m 41 sec
Reputation Power: 53

I think you're misunderstanding me. When I say you can pass the session's ID and Token in the URL, I don't mean passing the actual session DATA in the URL or Form. It works like this. CF has an identifier that is set on the users machine as a cookie. When the user requests a CF page that is using session variables, ColdFusion looks at the cookie. It reads the identifier out of the cookie and then looks in the CF server's memory. It finds the memory-resident session variables (arrays, etc.) that match up to the ID read from the user's cookie.

Now, instead of letting CF set a cookie on the user's browser to hold the ID, you can also pass it manually, like this:

http://mysite.com/index.cfm?#session.urltoken#

When this is executed, the variable session.urltoken is replaced by the user's id and token (something like "cfid=833737&cftoken=3984739743934").

When you do this, you are telling the CF server manually to associate the current user with that session identifier. So I think this would work even if jumping to another domain to do the SSL. The danger is that if a user emails such a link to someone else and that other user clicks on it, they may accidentally get the first user's session.

Regarding the CC number storage, you are really taking a risk by keeping the numbers. But if you think you have to, then every day (or even a few times a day) copy the CC numbers over to a database that is NOT accessible by the internet and then delete the numbers from the first database. Be very careful on this, you can indeed be sued if someone proves a lack of security on your part lead to card numbers being compromised.

Page 2 of 2

Viewing: Dev Shed Forums > Programming Languages - More > ColdFusion Development > non-SSL -> SSL page variable transfer? + your CF webhost?

« Previous Thread | Next Thread »

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are On [IMG] code is On HTML code is Off

View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox

Forum Jump