CFMX 7 Login Security Question

Posted by Aaron West at 10:59 PM in ColdFusion

Two months ago I published a tutorial dealing with securing application pages under ColdFusion MX 7. Jason writes in with the following question:

I love your ColdFusion MX 7 Login Security tutorial and I noticed this was written to secure an Entire application/site. I was wondering if there is any way to tell the your application NOT to secure a page? I know I can put the page in another folder with another Application.cfc without the login authentication info, but wanted to avoid that since I have several pages in several directories that can be viewed without logging in.

You can absolutely do this. Obviously, there are several strategies to getting the job done. Since you mentioned you don't want to reorganize your file/directory structure your only real option is with the onRequestStart method in your Application.cfc. This method fires as a pre-process to ALL ColdFusion pages (and, incidentally, ColdFusion components called via remoting). It's essentially your first line of defense. While not a glamourous solution (a better one is mentioned below), you can read the arguments.targetPage argument passed to onRequestStart and determine whether or not the page should be secured. If it needs to be secured, you'd continue running your "login" checks (as outlined in my tutorial). However, I would highly, highly recommend abstracting files that do not need protection from the files that do. This is typically done with additional folders and Application.cfc files. If you set things up this way, you do not have to redefine your main applications namespace, settings, or methods. If your sub Application.cfc extends your root Application.cfc you have the added benefit of inheriting any methods necessary while overriding the onRequestStart method responsible for protecting assets (in the root Application). If done right, this is a really powerful solution.

For more information on the ColdFusion MX 7 Application Framework I recommend downloading my April presentation to the Nashville ColdFusion User Group. The presentation materials include the preso itself and tons of sample, ready-to-run code. You can find the presentation materials here.


My Blog Turns 4

Posted by Aaron West at 10:33 PM in BlogCFC, Site News, Blogging

Five days ago was the 4th anniversary of my blog. It was so uneventful that I didn't even realize it occurred. I knew it was coming up after checking some blog stats a month ago but I had since forgotten about it. It's rather embarassing, but I'd like to share just a few stats on my blogging history. For starters, I don't post near enough to keep the content as fresh as I want to. As of today I have been blogging for 1,466 days having posted 128 entries. While that is pretty pathetic I am not too upset considering the first 3.5 years I didn't try to keep up with the blog much at all. It wasn't until I switched from Greymatter to BlogCFC that I started to keep my posts up.

Having shared some of the bad, what about some of the good? Last month was certainly a milestone in the life of my Web site (6 years old now) and blog when over 70,000 page views were recorded. Ever since November of 2005 my page views have almost doubled every month. Why? One reason is crawlers. The largest reason though is RSS. A lot of my site hits come from people with various news readers like NetNewsWire (Mac) or FeedDemon (PC). Another cool stat, is that my MusicStoreAutoPlay AppleScript has been downloaded over 300 times in just two months. Additionally, all of my sample CF code and tutorials have each been downloaded more than 100 times with the majority of them having been added within the last 40 days.

All-in-all, I'm relatively pleased. I want to continue doing more traffic on the site and continue posting as much relative, interesting, and helpful content as possible. Here's to another 4 years!