CFMX 7 Login Security Question

Posted by Aaron West at 10:59 PM in ColdFusion

Two months ago I published a tutorial dealing with securing application pages under ColdFusion MX 7. Jason writes in with the following question:

I love your ColdFusion MX 7 Login Security tutorial and I noticed this was written to secure an Entire application/site. I was wondering if there is any way to tell the your application NOT to secure a page? I know I can put the page in another folder with another Application.cfc without the login authentication info, but wanted to avoid that since I have several pages in several directories that can be viewed without logging in.

You can absolutely do this. Obviously, there are several strategies to getting the job done. Since you mentioned you don't want to reorganize your file/directory structure your only real option is with the onRequestStart method in your Application.cfc. This method fires as a pre-process to ALL ColdFusion pages (and, incidentally, ColdFusion components called via remoting). It's essentially your first line of defense. While not a glamourous solution (a better one is mentioned below), you can read the arguments.targetPage argument passed to onRequestStart and determine whether or not the page should be secured. If it needs to be secured, you'd continue running your "login" checks (as outlined in my tutorial). However, I would highly, highly recommend abstracting files that do not need protection from the files that do. This is typically done with additional folders and Application.cfc files. If you set things up this way, you do not have to redefine your main applications namespace, settings, or methods. If your sub Application.cfc extends your root Application.cfc you have the added benefit of inheriting any methods necessary while overriding the onRequestStart method responsible for protecting assets (in the root Application). If done right, this is a really powerful solution.

For more information on the ColdFusion MX 7 Application Framework I recommend downloading my April presentation to the Nashville ColdFusion User Group. The presentation materials include the preso itself and tons of sample, ready-to-run code. You can find the presentation materials here.

Aaron West's Gravatar
About this post:

This entry was posted by Aaron West on May 10, 2006 at 10:59 PM. It was filed in the following categories: ColdFusion. It has been viewed 2301 times and has 0 comments.

0 Responses to CFMX 7 Login Security Question