Recently detailed by Ray Camden on his blog in this post, when using cflogin, any string in a users password field after a ":" will be removed before being stored in the cflogin scope. This may be a very infrequent but very hard to diagnose problem for anyone generating passwords from random strings and using cflogin to manage their website user logins.
DO NOT store usernames or passwords in or trust your application variables as they can be accessed by other websites on the same server instance. Many ColdFusion developers will read this bold warning as old news but unfortunately many more are not aware of the problem and are storing very dangerous information like database, email or admin usernames and passwords within the application scope and leaving their databases & sites open to attack. Thanks to a recent comment (thanks Bradley) we have been reminded that it's time again to get this warning out there.
In case you missed it, Episode 1.1 from the new RIAPodcast blog includes some interesting discussions by Charlie Arehart, Doug Knudsen, Josh Adams and John Mason . Some of the highlighted security topics include:
Recent Comments