Authenticating Users - MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX Develop Manual

Authenticating users

You can use either, or both, of the following forms of authentication to secure your ColdFusion
application:
•
Web server authentication, where the web server authenticates the user and does not allow
access to the website by users without valid login IDs
•
Application authentication, where the ColdFusion application authenticates the user and does
not allow access to the application by users without valid login IDs
About web server authentication
All major web servers support basic HTTP authentication. Some web servers also support other
authentication methods, including Digest HTTP authentication and Microsoft NTLM
authentication.
Note: Basic HTTP authentication sends the user name and password in a base64-encoded string
with each request. If you do not use SSL (Secure Sockets Layer) for all page transactions, the user ID
and password are not protected from unauthorized access.
Note: Macromedia DreamWeaver MX and Studio MX do not support NTLM security with RDS.
Therefore, you cannot use RDS with these applications if the ColdFusion RDS servlet (cf_root/
CFIDE/main/ide.cfm) is in a directory that is protected using NTLM security.
In web server authentication, the web server requires the user to log in to access pages in a
particular directory, as follows:
When the user first requests a page in the secured directory, the web server presents the user with
1
a login page.
The user fills in the login page and submits it.
2
The web server checks the user's login ID and password, using its own user authentication
3
mechanism.
If the user logs in successfully, the browser caches the authentication information and sends it
4
in an HTTP Authorization header with every subsequent page request from the user.
The web server processes the requested page and all future page requests from the browser that
5
contain the HTTP Authorization header, if it is valid for the requested page.
You can use web server authentication without using any ColdFusion security features. In this
case, you configure and manage all user security through the web server's interfaces.
You can also use web server authentication with ColdFusion application authentication, and thus
you can use ColdFusion security for authorization. If the web server uses basic HTML
authentication, the ColdFusion
user entered to log in to the web server. If the web server uses Digest or NTLM authentication,
the tag normally gets the user ID, but not the password.
cflogin
As a result, your application can rely on the web server to authenticate the user against its user and
password information, and does not have to display a login page. You use the
tags to log the user into the ColdFusion user security system, and use the
cfloginuser
and
IsUserInRole
on this form of security, see
Note: If a user has logged in using web server authentication and has not logged in using ColdFusion
application authentication, the
feature to combine web server authentication with application authorization based on the user's ID.
350 Chapter 16: Securing Applications
tag provides access to the user ID and password that the
cflogin
functions to ensure user authorization. For more information
GetAuthUser
"A web server authentication security scenario" on page
GetAuthUser
tag returns the web server user ID. You could use this
and
cflogin
355.