[thesite] UEUE v.0.2 Update
Warden, Matt
mwarden at mattwarden.com
Mon Nov 5 20:04:38 CST 2001
On Nov 5, .jeff had something to say about RE: [thesite] UEUE v.0.2 Update
>matt,
>
>><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
>> From: Warden, Matt
>>
>> > why don't we simply query the users table based on the
>> > user's persistent login cookie? [...]
>>
>> it's for unified login, but one of the reasons to do
>> that is to close off meo accounts' ability to query
>> the user database(s). If all there is is the
>> persistent cookie, anyone with an meo account can
>> query the database for the persistent cookie and
>> then login as whomever they want on weo.
>>
>> right?
>><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
>
>sure, but that problem is *way* simple to solve -- username and password on
>the database access.
Eww. That username and password would be available in the source, eh?
We're bound to eventually forget to take out the instances (would be every
cfquery tag, no?) where we have the password in the code.
And I don't want to ever have to say to a member "yeah you could help out,
but i don't want you to see our database password, so no dice." And, if
you *don't* say that, I think we get into screening issues.
So, IOW, it's *NOT* so easy to solve, IMO. Any restriction of access would
have to be done by IP, IMO. And that would be possible with UEUE, assuming
it's on a different server (not lists.evolt.org).
thanks,
--
mattwarden
mattwarden.com
More information about the thesite
mailing list