http://coldfusion.com logo
Join Slack
Powered by
What do you mean by in a cache?
# cfml-general
o
What do you mean by in a cache?
b
@Ookma-Kyi Threads, please. He means instead of having a DB column in the user table where you store the password reset token, he places it in some sort of cache with a timeout which automatically removes it after a certain period of time. Then, when the user clicks the link in the E-mail, you verify the token against the item in the cache, if found. If it's not in the cache, then you can assume the token has expired.
You didn't actually specify where you were storing the token so it wasn't really clear what you were doing.
o
Sorry he replied in general instead of starting a thread. Didn't know if something had changed. How do you use the cache in CF or is that a custom thing? Most instances use the database so I assumed it was the default thing to go to.
b
If you're already using then DB, then forget about the cache idea.
o
Why is it hard to set up?
b
There's a lot of different ways you can setup a cache, but I don't have the time to go into any of them ATM.
If you don't even know where to start, then I'd say don't worry about it
The cache suggestion doesn't solve any of your other questions anyway, it's just a different way to store the data
o
How do you process the token and expiration data after the user resets their password successfully? Do you set 
token
to empty and 
expiration
to 
now()
like I do or do you do something else like the cache thing mentioned earlier?
b
I don't really understand the nature of your question. I mean, you do whatever the heck you want to with the data, lol. If you're storing it in a DB and don't want the token to be re-used, then just update the column in that table to be an empty string or something. This seems like a really basic question to be asking here.
I mean, this is no different from any other data in any other column of any other table which you decide you no longer want. You remove it.
o
I figured it would be different since the data can be used to compromise an an account if it is not handled correctly from a security standpoint.
The question is how to handle it from a security standpoint and not from a general one.
b
I don't follow what you mean
Any data in the DB may be sensitive, but that has no bearing on how you update a table to overwrite a value in a column
Presumably, you are already storing personal data about your users and a (hopefully hashed) password in the same table. I would also expect you have taken measure so your DB is not available on the internet for download 🙂
So you're saying, "I have some data which sensitive", and I'm thinking, "yeah, so??"
o
Ok lets say i set token to empty and someone does 
resetpassword?userid=1&token=
assuming the expiration date is still good it can be used to reset the user account with id of 1, which is why I set the token to expire immediately after the password is reset
b
I would assume you'd take the normal precautions as you would for any data in your DB
o
I encrypt passwords
b
Not recommended BTW. Encryption is reversible so a hacked Db table can be turned back into plain text passwords
Passwords should be salted and hashed with a workfactor that eliminates brute force exploits.
But that's a little off-topic
o
I mean I use BCrypt I think.
b
Yeah, that's not the same as encryption
Bcrypt is great 👍
o
Of course I also check if token is empty so an empty token attack isn't really possible
b
So... what exactly is the concern??
I mean, if you want to ensure they don't match an empty token then you write
Copy code
if( !len(rc.token) ){
  // block them
}
Its pretty straight forward!
o
Just wondering if I am doing it correctly from a security standpoint and what others do. That's all
I use:
Copy code
if ( isEmpty( rc.token ) ) {
    // nope
}
b
I don't really know everything you're doing, but it sounds like you're on the right track • user wants to reset pass, capture their E-mail or username • E-mail the address on file with a one-time use link containing a token that expires • when they click the link very the token is correct and hasn't expired • Allow them to reset their pass
o
Great thanks
b
Using a cache for the token is just a little trick to • not have any dedicated DB columns for this • auto-expire the token with no additional effort but really it's an implementation detail
And if you have more than one server, it would obviously need to be an out-of-process cache
o
out of process?
b
Correct. If you google "out of process cache" you can find the definition 🙂
o
Is cache a part of Lucee, something that can be automatically set-up?
b
In process basically means in memory on that server which is • specific to that server • lost on restart An example would be the built in EHCache
An out of process cache is something like Redis, Couchbase, Mongo, etc which exist as their own server and do not lose their data when you restart CF and are shared by all your servers
Is cache a part of Lucee, something that can be automatically set-up?
Lucee has RamCache built in, but that is in process. You can set up any of the caches I mentioned above, but that sounds like a new thread after you've done some googling if you can't figure it out
o
Right now I'm wondering if it is going to be more difficult to implement that what I have now.
b
Well, there's a reason I told you to forget about it earlier 🙂
Open in Slack
PreviousNext
Powered by