I haven't seen the previous thread you mentioned but the "easiest" way to secure specific templates is to have them all located under a central location like /secure or /administrative or whatever.
In the top level of that directory put an Application.cfm that includes your "security script" so it is included in every template under that directory. (You can also just include the parent application.cfm to bring any settings in without duping any code.) If you don't do it this way, and you have mixed templates (some secure some not) all scattered under one root, I don't see a way around including your script in every page that you want secured (other than querying for it's ID to see if it is secure, but why waste the time effort or processing). If you already have it logically laid out like you want and you're only concern is rather or not the cgi.script_name will fail on you, don't worry. It won't. Here is a good trick for unique template IDs #hash(cgi.script_name)# If that is your templates uniqueid, there is no need to make sure it is set at the top of every page. Once those hashes are stored in the database, the only thing that would pose a problem would be moving or renaming the template. I hope any of that helps (or even makes sense). ~Bobby -----Original Message----- From: Mike Soultanian [mailto:[EMAIL PROTECTED] Sent: Saturday, September 03, 2005 10:23 PM To: CF-Talk Subject: Question about my security system Like I mentioned in a previous post, I am creating a security system that assigns each CF page it's own unique ID. Based on that file's id, it keeps track on who has access to that page. To do this, I was going to put a custom tag at the top of every page that I wanted to be secure and then have the file edit itself and place a random "security ID" at the top of the page. That ID would then be stored in the DB and have a security setting applied to it through my security system. Now, the problem with me is I'm a forgetful person. So, instead of putting the tag in every single file (which I might forget to do), how about putting the tag in the Application file and then telling the tag to edit the file referenced by the CGI script name variable. I haven't yet tried it, but I'm hoping that variable would be referring to the file being called, not the application.cfm file, even though the tag is being run from the application.cfm file. That way, every single file on my site is guaranteed to be secure. My question is whether or not that will pose any weird quirks. Is there any reason or circumstance where the CGI Script Name variable wouldn't refer to the file that the end-user was requesting? The CGI script name variable comes from the web server, correct, and would *always* be populated with a value of the target file, right? I can't think of anything that would cause a problem, but that doesn't mean that there would be a way around it (hence, my reason for asking the list). Ultimately, I'm trying to figure out which way is more secure (in the application.cfm file, or each file). I hope that's not too confusing what I'm trying to do. If you'd like further explanation, let me know! Thanks, Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217311 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
