Since Ajax requests are just like any other HTTP request your browser sends, they come with all the cookies your application has set. With that in mind, I secure them just like any other page on my site. A decent framework like ColdBox can be handy here since I use an event interceptor to ensure the person is logged in, and that code runs for all events-- even the ones proxied for Ajax calls.
Also, leaving a cfc in a web-accessible directory with methods marked remote that don't enforce security is NOT an example of "Cross-site Scription" (XSS), it's just a bad idea. You wouldn't do that for the same reasons you don't leave any other sensitive page of your site without a security check. I don't know what you mean by cfc methods being "intercepted". If you want the methods to be secure, secure them. If you want the data they receive and return to be encrypted, use SSL. verifyClient() is just a built-in way of allowing the browser to send you a special key via URL that proves it is the same client that the initial page was sent to. You add verifyClient="yes" to your cffunction and any ColdFusion Ajax calls you do add the special key to the URL they hit for the Ajax call. What this ensures is that the client making the HTTP request to the cfc is the same client that requested a page containing CF Ajax calls earlier in the same session and not a random one-time request. verifyClient in no way makes sure the user making the request is authenticated to your site via whatever authentication method you are using. And, just like cookies, it can be defeated with a good man-in-the-middle attack unless you are using SSL. ~Brad -------- Original Message -------- Subject: Security on CF8 Ajax Request From: Davide Campo <[email protected]> Date: Tue, September 08, 2009 7:25 am To: cf-talk <[email protected]> Hi All, I'd like to know which kind of security trick do you use to develop CF Application with the Ajax Request to CFCs (for example with jquery request $.get('MyComp.cfc?method=mymethod')) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326091 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
