Ensuring User Security
One of the most powerful features of the ColdFusion Security Framework is the capability to secure individual sections of code at runtime. This control is in the hands of the programmer, allowing complex security to be implemented with significantly less development time than a customized security scheme. ColdFusion relies on the developer to mark sections of code to be secured. This increases the efficiency of the application by minimizing the security overhead.
User Security allows you to control the resource types on a user-by-user basis. You can allow one user to see only the description of an item, whereas a privileged user can see the full text of an item. ColdFusion provides authentication tags and functions that allow you to programmatically determine the authentication status and the authority of each user.
Example 1: Security login form source code
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" <html> <head><title>Login Form</title></head> <body bgcolor="#400000" link="#800000" vlink="800000 alink="#ffff00"> <b><font face="arial" size="+1" color="#ffff00"> Login</font></b><br> <!--Display login form--> <CFFORM ACTION="index.cfm"> <table bgcolor="#fffff"> <tr> <td><CFINPUT TYPE="text" NAME="username"></td> </tr> <tr> <td><CFINPUT TYPE="text" NAME="password"></td> </tr> <tr> <td> <input type="submit" value="login"></td> </tr> </table>
</cfform> </body> </html>
Example 2: User authentication source code
The first section checks whether the username and password cookies have been set. If not, the local username and password variables are set to null. This forces the user to authenticate because CFAUTHENTICATE throws an exception if the user is not found in the user directory you set.
In the CFCATCH block, you can handle this exception - for example, by giving users the opportunity to log in using the login form. Upon submission, this login form sets the password and username cookies, as well as the local variables. If a user tries to log in with the wrong data, you must expire their cookies so that they are not detected and the default section runs. Remember the .cfm application runs before each page in the application, so the entire application is protected.
<!---SuperGadgets! application.cfm ---->
<!---Set defaults for username and password--->
<CFIF ISDEFINED("COOKIE.USERNAME")>
<CFSET USERNAME=COOKIE.USERNAME>
<CFELSE>
<CFSET USERNAME=" ">
<!--User is attempting to login-->
<CFIF ISDEFINED("form.username")>
<!--set username variable and cookie-->
<CFSET USERNAME=FORM.USERNAME>
<CFCOOKIE NAME="username" VALUE="#form.username#">
</cfif>
</cfif>
<CFIF ISDEFINED("COOKIE.PASSWORD")>
<CFSET PASSWORD=COOKIE.PASSWORD>
<CFELSE>
<CFSET PASSWORD=" ">
<!--User is attempting to login-->
<CFIF ISDEFINED("form.passowrd")>
<!--set password and cookie-->
<CFSET PASSWORD=FORM.PASSWORD>
<CFCOOKIE NAME="password" VALUE="#form.password#">
</cfif>
</cfif>
<!--Check to see if user has been authenticated-->
<CFIF NOT ISAUTHENTICATED()>
<!--we'll enclose this in a CFRTY block. CFAUTHENTICATE
throws an exception if the user does not exist
in this mode.-->
<CFTRY>
<CFAUTHENTICATE SETCOOKIE="No" SECURITYCONTEXT="Internet"
USERNAME="#username#" PASSWORD="#password#">
<!--If an exception is thrown -->
<CFCATCH TYPE="Security">
<!--Kill cookies-->
<CFCOOKIE NAME="username" VALUE " " EXPIRES="NOW">
<CFCOOKIE NAME="password" VALUE=" " EXPIRES="NOW">
</CFCATCH>
</CFTRY>
</cfif>
<!--Define the application-->
<CFAPPLICATION NAME="SuperGadgets" CLIENTMANAGMENT="Yes"
SESSIONMANAGEMENT="Yes" SETCLIENTCOOKIES="Yes">
