I would.
1. Use a secure channel
2. Use a token/key and return it after the login
3. Pass that token/key to ALL other methods
In ColdFusion land, it's kind of easy to just throw this into the
application scope.
<cfset application.tokens = {} />
<cffunction name="login" access="remote">
<cfargument name="username" />
<cfargument name="password" />
<cfif success>
<cfset token = createUUid() />
<cfset application.tokens[token] = {} />
<cfset application.tokens[token]['username'] =
arguments.username />
<cfset application.tokens[token]['password'] =
arguments.password />
<cfset application.tokens[token]['created'] = now() />
</cfif>
</cffunction>
<cffunction name="someOtherFunction" access="remote">
<cfargument name="token" />
... Other paramaters
<cfif structKeyExists(application.tokens, arguments.token)>
Good to go
<cfelse>
Sorry.
You also need a bit of code that will clear out old tokens. I normally have
a function, checkToken which along with checking a token is valid, also
clears expired tokens while it's there.
PS: Don't forget to use a secure channel, otherwise the token is visible.
Regards
Dale Fraser
http://learncf.com
-----Original Message-----
From: Chad Gray [mailto:[EMAIL PROTECTED]
Sent: Thursday, 24 January 2008 2:07 AM
To: CF-Talk
Subject: RE: Air and CFCs
I should have specified that I would be using Flex in my Air and using
remoteObject.
<mx:RemoteObject id="ro" destination="ColdFusion"
source="local.careycolor.login"
endpoint="http://demo.dev/flex2gateway/";
result="letUserIn()">
-----Original Message-----
From: Todd [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 23, 2008 9:45 AM
To: CF-Talk
Subject: Re: Air and CFCs
Air can't talk directly to CFCs. You'll have to use Javascript or Flex as
the transport mechanism. So, you would build it (to my understanding) as
you would if it was a pure ajax implementation. You'll either have to pass
username/password request on each send or somehow implement a logged in
token.
On Jan 23, 2008 9:38 AM, Andy Matthews <[EMAIL PROTECTED]> wrote:
> I'd def be interested in hearing this discussion.
>
> -----Original Message-----
> From: Chad Gray [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 23, 2008 8:32 AM
> To: CF-Talk
> Subject: Air and CFCs
>
> Does anyone have suggestions on best practice for setting up CFCs that
> will
> be available for Air applications and CF applications?
>
> From what I have read you need to set your functions in your CFC to
> access="remote" in order for the Air application to use them. I really
> don't want to do that on my functions since they modify database tables
> etc.
>
> How do you secure these CFCs?
>
> I thought about making a CFC that was available remotely, but had security
> built in (needs a predefined key or login/password). Then that CFC calls
> the access="public" CFCs. Maybe you would call this a gateway or proxy
> CFC.
> This way my CF application can use the "public" CFCs and the Air
> application
> can use the proxy CFC to get to the public CFCs.
>
> Any other ideas? Any better ideas on the security other then
> login/password?
> Chad
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297231
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
