Table of Contents
Advertisement
An application authentication security scenario
An application that does its own authentication might work as follows. The example in
"Application-based user security example" on page 360
Whenever ColdFusion receives a request for a ColdFusion page, it runs the contents of the
1
Application.cfm page before it runs the requested page. The Application.cfm page contains a
tag. ColdFusion executes the
cflogin
logged-in if the
logged out by a
Code in the
2
cflogin
from a login form.
If there is no user ID or password, the code in the
3
asks for the user's ID and password.
The form posts the login information back to the originally requested page, and the
tag in Application.cfm runs again. This time, the
and password against a database, LDAP directory, or other policy store, to ensure that the user
is valid and get the user's roles.
If the user name and password are valid, the
4
with the user's ID, password, and roles, to identify the user to ColdFusion.
When the user is logged-in, application pages use the
5
the user belongs to a role before they run protected code that must be available only to users in
that role.
The application can use the
display the ID for personalization. It can also use the ID as a database key to get user-specific
data.
Each application page displays a link to a logout form that uses the
6
user. Typically, the logout link is in a page header that appears in all pages. The logout form can
also be on the Application.cfm page.
Note: A log-out option is not always required, as the user is automatically logged out when all browser
windows are closed (except when using ColdFusion Session variables) or is inactive for the login or
session time-out period. If the user closes the browser, the login variables remain in the server
memory until the session times. You can enhance security in cases where a system might be shared
by providing a log-out facility. You must explicitly log out a user before a new user can log in while the
browser is running.
While this scenario shows one method for implementing user security, it is only an example. For
example, your application could require users to log in for only some pages, such as pages in a
folder that contains administrative functions. When you design your user security
implementation, remember the following:
•
Code in the
cflogin
•
With application authentication, you write the code that gets the identification from the user
and tests this information against a secure credential store.
•
After you have authenticated the user, you use the
ColdFusion.
The following figure shows this flow of control. For simplicity, it omits the log-out option.
356
Chapter 16: Securing Applications
tag has run during the current session and the user had not been
cfloginuser
tag.
cflogout
tag body checks to see if it has received a user ID and password, normally
GetAuthUser
tag body executes only if there is no user logged in.
implements this scenario.
tag body if the user is not logged-in. A user is
cflogin
tag body displays a login form that
cflogin
tag body code checks the user name
cflogin
tag body code calls the
cflogin
IsUserInRole
function to determine the user ID; for example, to
cfloginuser
cflogin
cfloginuser
function to check whether
tag to log out the
cflogout
tag to log the user into
tag
Advertisement
Table of Contents
Troubleshooting
