CAMERON MOLL'S CRAZY CONTEST
Ok so in an effort to win an iPad I created a page here on design frontier targeted at these key words: cameron moll colosseo martian ipad giveaway. I think that the idea behind the contest is one of the most clever promotions I have ever seen.
For a little extra fun I have embedded four, yes four, easter eggs in the page. One of them is a branching easter egg so you have to unlock easter egg 2 before you can get to 3 or 4. Hopefully that makes sense...
I am going to have a little contest with the easter eggs. Everyone who unlocks all 4 easter eggs and sends me an email with screen shots or text from them all, or where they take you, before April 16th will be entered to win some stickers, pins and an autographed one of a kind sketch by me. So not as cool as an iPad, but still kind of fun right?
So link it up, pass this around and go hunt some easter eggs! cameron moll colosseo martian ipad giveaway
Sorry for the repetitive keywords... Good Luck!
If you need clues feel free to hit me up on twitter: @daniel_sellers and if enough people are struggling I will release some hints.
UPDATE:: The stickers will include some Reef Sandals stickers, at least 2 NASA Mission Stickers, and if I have more than 10 entries 1 NASA Mission pin. So go find the easter eggs!
YET ANOTHER UPDATE:: I will release a BIG clue this evening... so check back tonight if you still haven't found them all...
THE BIG CLUE!:: One of the Easter eggs is a hidden click event... almost all of them can be found by looking at the javascript... except the last one which requires a guess. Good luck!
Written // Apr 15, 2010
- contest
A TALE OF TWO COOKIES: SECURING COLDFUSION SESSION COOKIES
Recently at work we went through a security review. It was a great learning experience to have outside contractors try and break into the web application. Found several things that I didn't expect and some others that I had never even considered. One of the last vulnerabilities that they identified was that the CFID and CFTOKEN cookies had an expiration date set too far in the future, 2040 or something like that, and that they did not have the secure flag set.
So I did some research and thanks to a couple of posts by Ben Nadel got a system in place that encrypted/decrypted the cfcookie and expired it immediately. It looked something like this and is nearly identical to his code from the previous articles (all the code goes in the Application.cfc):
<cfcomponent displayname="Application" output="true"> <cfscript> this.name = "TestApp"; this.applicationTimeout = createTimeSpan(0,1,0,0); this.loginstorage = "session"; this.sessionmanagement = true; this.sessiontimeout = createTimeSpan(0,0,30,0); this.setClientCookies = false; application.initKey = hash(hash('someRandomChars')); </cfscript> <cfif StructKeyExists( COOKIE, "ID" )> <cfset this.DecryptedID = Decrypt(COOKIE.ID,application.initKey) /> <cfcookie name="CFID" value="#ListFirst( this.DecryptedID )#" expires="NOW" secure="yes"/> <cfcookie name="CFTOKEN" value="#ListRest( this.DecryptedID )#" expires="NOW" secure="yes"/> </cfif> <cffunction name="onSessionStart" output="false"> <cfset var local = structNew()> <cfset local.encryptedID = encrypt(session.CFID & ','& session.CFToken,application.initKey)> <cfcookie name="id" value="#local.encryptedID#" secure="yes"> </cffunction> </cfcomponent>
The important parts are the pseudo-constructor that generates the CFID and CFTOKEN cookies with an expiration of "NOW", and the onSessionStart that creates the encrypted session cookie. Because the pseudo-constructor gets executed before anything else the CFID and CFTOKEN are set before they are needed on each page. This allows them to have an expiration of "NOW" so that they never appear in the browser's cookie store, remaining in memory for that page only. This leaves only the encrypted session cookie visible.
While this is a good start, and hides the CFID and CFTOKEN effectively it does not prevent session hijacking. So I went a step further and added to the code to create a unique encryption key for each user, that would make it much more difficult to hijack the session and crack the encryption to access the CFID and CFTOKEN. So here is the expanded code:
<cfcomponent displayname="Application" output="true"> <cfscript> this.name = "TestApp"; this.applicationTimeout = createTimeSpan(0,1,0,0); this.loginstorage = "session"; this.sessionmanagement = true; this.sessiontimeout = createTimeSpan(0,0,30,0); this.setClientCookies = false; application.initKey = hash(hash('someRandomChars')); </cfscript> <cfif structKeyExists(GetHttpRequestData().headers,'X-Forwarded-For')> <cfset myRemoteAddr = GetHttpRequestData().headers['X-Forwarded-For']> <cfelse> <cfset myRemoteAddr = cgi.REMOTE_ADDR> </cfif> <cfif StructKeyExists( COOKIE, "ID" )> <cfset this.DecryptedID = Decrypt(COOKIE.ID,hash(application.initKey& myRemoteAddr&cgi.http_user_agent) /> <cfcookie name="CFID" value="#ListFirst( this.DecryptedID )#" expires="NOW" secure="yes"/> <cfcookie name="CFTOKEN" value="#ListRest( this.DecryptedID )#" expires="NOW" secure="yes"/> </cfif> <cffunction name="onSessionStart" output="false"> <cfset var local = structNew()> <cfset local.encryptedID = encrypt(session.CFID & ','& session.CFToken,hash(application.initKey& myRemoteAddr&cgi.http_user_agent)> <cfcookie name="id" value="#local.encryptedID#" secure="yes"> </cffunction> </cfcomponent>
With these aims in mind I hit upon the idea to use the cgi.remote_addr as a seed for the encryption key. As it is unlikely that users will change IPs during a their time on the site it provides a good seed that a computer attempting to hijack the session wouldn't have or would have a difficult time trying to acquire. So here is the expanded code:
There are a few extra things going on in the code above. When I was working on this article I discovered these two articles that discuss accessing the original IP in the event that a proxy was being used. Proxies typically add a header named 'X-Forwarded-For' that contains the originating IP address which is what we want to seed with. So I added in a few lines of code to check for the presence of 'X-Forwarded-For' and substitute that for cgi.remote_addr if it is present. While I was at it I added the cgi.http_user_agent as a second seed that helps to make it more difficult to hijack the session.
Does this make it impossible to hijack the session? No. Security is about making it more difficult to gain access. There is always a way to compromise a system, it is just a factor of time and computing power. Of course if you want to introduce more complexity to the algorithm you could repeat the encryption process with different cgi variables acting as seeds to keys ad infinitum.
With that said this code, or something similar, makes sessions much more difficult to hijack and much more secure against hackers then they would be with a plain CFID and CFTOKEN system.
Written // Mar 5, 2010
- Code
- Security
- ColdFusion
RELAUNCH OF DESIGNFRONTIER
So here it is! After having worked for many hours, it's official. The redesign process has been exciting. Creating new features in new ways has been a blast.
Is it done? Far from it. I am still working on the comment section for articles (sorry!) which should be done shortly. I am also working on putting together the portfolio section, updating my presentations and fine-tuning performance and copy.
When I am done, and have some more time, I'll work up a better article on the process and include some sketches.
For now I'll just say TypeKit, Coldfusion and jQuery are awesome together!
Written // Feb 3, 2010
- about
- designfrontier
- design
Colophon
This site is powered by ColdFusion MX using a custom blog system written by me. Logo font is League Gothic. Headers are Museo Slab. Body text is the ever wonderful Helvetica. jQuery handles the javascript, and the 960 Grid System basic layout.
Contact
As long as you are not some sort of automated bot feel free to contact me by email: daniel [at] designfrontier.net
