We tried rolling back the update on one of our servers and this worked. As update 10 is a Critical update, we cannot roll back our production server farm.
Current encryption process which was deployed 2 or 3 years before:
When we got the issue on Update 10, we investigated whether it was because of “CFMX_COMPAT” algorithm. So we removed the second level of encryption, but the issue was not solved.
Also the issue gets cleared when we refresh the page. So it is not related to encryption logic.
Could the issues be related to cache limit, or number of URL variables created or something related to URL scope?
We have had to remove encryption of urls on a number of pages to meet important business deadlines. This was only possible because the url parameters are of a non sensitive nature and would not present a security issue if tampered with. However we have many other pages where this approach would not be possible as it would allow access to data from other users.
Any help in resolving the above would be much appreciated.
can you share your code that does the encryption and the decryption?
Does the string you finally pass into the url contain "funny" characters that might be destroyed somehow (by wrong/repeated url encoding)?
I think there is a flaw in the above algorithm. Namely the assumption that you can always pass encrypted characters, unchanged, through URL.
There is a second point. You're using AES anyway and CFMX_COMPAT is less secure than AES. So I don't understand why you use CFMX_COMPAT at all.
Your algorithm would be more efficient if it used the following steps instead:
Copy link to clipboard
<cfset message=key & link>