Kevin Schmidt wrote:
> You could store the encryption key in a file that is not
accessible to the web
> server and then read it in using <cffile>.
>
> You could then load it into the application scope and
use it that way. It
> wouldn't be in the database and it wouldn't be in a file
accessible via FTP,
> assuming you set up the proper permissions.
>
mmmm where would the cffile tag go? it would have to be
someweher on a
page withing the site. again, a reference to where the key
is. if
someone got ftp access, and found the page with the
reference, they
could just make a page that would output that application
variable and
then they would have the key.
the key, or any reference to where it is located cannot be on
any page
accessible via ftp.
but the variable itself needs to be available to the web app.
is there any way to load a variable into a session scope
before anything
else happens? like specify it in cfadmin or something...