Adobe 38043740 - ColdFusion Standard - Mac Development Manual page 354

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
Important: If you use web server–based authentication or any form authentication that uses a Basic HTTP
Authorization header, the browser continues to send the authentication information to your application until the user
closes the browser, or in some cases, all open browser windows. As a result, after the user logs out and your application
uses the tag, until the browser closes, the cflogin structure in the
cflogout
UserID and password. If a user logs out and does not close the browser, another user can access pages with the first user's
login.
Security scenarios
There are two detailed security scenarios. The first scenario uses the web server to perform the authentication against
its user and password database. The second scenario uses ColdFusion for all authentication and authorization.
A web server authentication security scenario
An application that uses web server authentication could work as follows. The example in
authentication user security
When the user requests a page from a particular directory on the server for the first time after starting the browser,
1
the web server displays a login page and logs in the user. The web server handles all user authentication.
Because the user requested a ColdFusion page, the web server hands the request to ColdFusion.
2
3 When ColdFusion receives a request for a ColdFusion page, it instantiates the Application.cfc and runs
method. If you use an Application.cfm page in place of the Application.cfc, it runs the contents
onRequestStart
of the Application.cfm page before it runs the requested page. The
page contains a
cflogin
The user is logged in if the
logged out.
Code in the tag body uses the user ID and password from the browser login, contained in the cflogin.name
4
cflogin
and cflogin.password variables, as follows. (With Digest or NTLM web server authentication, the cflogin.password
variable is the empty string.)
a It checks the user's name against information it maintains about users and roles. In a simple case, the application
has two roles, one for users and one for administrators. The CFML assigns the Admin role to any user logged
on with the user ID Admin and assigns the User role to all other users.
b It calls the
cfloginuser
Application.cfc or the Application.cfm page completes processing, and ColdFusion processes the requested
5
application page.
The application uses the
6
IsUserInAnyRole
protected code that must be available only to users in that role.
The application uses the
7
GetAuthUser
personalization. It can also use the ID as a database key to get user-specific data.
Important: If you use web server–based authentication or any form authentication that uses a Basic HTTP
Authorization header, the browser continues to send the authentication information to your application until the user
closes the browser, or in some cases, all open browser windows. As a result, after the user logs out and your application
uses the tag, until the browser closes, the cflogin structure in the
cflogout
UserID and password. If a user logs out and does not close the browser, another user can access pages with the first user's
login.
example" on page 354 – implements this scenario.
tag. ColdFusion executes the
tag has run successfully for this application and the user has not been
cfloginuser
tag with the user's ID, password, and roles, to identify the user to ColdFusion.
function to check whether the user belongs to a role before it runs
function to determine the user ID; for example, to display the ID for
Last updated 1/20/2012
tag will contain the logged-out user's
cflogin
onRequestStart
tag body if the user is not logged into ColdFusion.
cflogin
tag will contain the logged-out user's
cflogin
"Web server–based
method or Application.cfm
349