RE: Best way to limit access to a specific template from "only" the previous template?

Mon, 28 May 2001 09:16:12 -0700 

I put the following in my Application.cfm.  It makes sure that if a user is
not coming from my site that it directs them to the login page.  It might
help along with your if statement (with modifications of course).

I can't take credit for it.  I found most of it from other applications, but
it does work well and also solves the problem of users piggybacking onto
other user's sessions via copying their favorites.

<!--- This dsn, the site hosting the web application. --->
<cfset request.site.root="#cgi.server_name#">

<!---
        If the user is trying to navigate into the site with someone else's
CFID/CFTOKEN
        this will strip out both values and redirect the user so they get
re-assigned
         make sure you know what type of Webserver software you are using as IIS
returns script_name and path_info but some web servers return script_name
only
--->
<cfif
        not len(trim(cgi.http_referer)) or (len(trim(cgi.http_referer))
        and refindnocase("http[s]*://[.]*#request.site.Root#",cgi.http_referer) is
not 1)>

        <cfif findnocase("cfid",cgi.script_name)>
                <cfparam name="newstring" default="#cgi.script_name#">
                <cfset newstring=rereplacenocase(newstring,"cfid=[0-9]*","","all")>
                <cfset newstring=rereplacenocase(newstring,"cftoken=[0-9]*","","all")>
                <cfset 
newstring=rereplacenocase(newstring,"fuseaction=[a-z]*","","all")>

                <cfif isdefined("cookie.cfid")>
                        <cfcookie name="cfid" expires="NOW">
                        <cfcookie name="cftoken" expires="NOW">
                </cfif>

                <!--- CF 4.5 only  --->
                <cfmodule template="modules/location.cfm"
url="http://#request.site.Root##newString#";>
        </cfif>
</cfif>

-----Original Message-----
From: Tony Schreiber [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 21, 2001 9:32 AM
To: CF-Talk
Subject: RE: Best way to limit access to a specific template from "only"
the previous template?


Just as a precaution, though I'm sure many of you know this...

Using "CONTAIN" when testing url strings is almost worthless - since a url
like http://www.crackers.com/hackattempt/haha.html?fool=template1.cfm is
completely valid...

> <CFIF cgi.http_referer does not contain "template1.cfm">
>         <H1>Unauthorized host detected! Access denied!</H1>
>         <CFABORT SHOWERROR="You are not authorized to use this
> function!">
>         </CFIF>
>
> I also augmented the header line with an <a href> back to the login
> screen.
>
> <cfif cgi.http_referer does not contain "login.cfm">
> <h2>Unauthorized access method detected?<br>
> <a href="http://129.174.xx.xxx/ssh/index.cfm";> Please login</a></h2>
> <cfabort showerror="You have to login first!">
> </cfif>
>
>
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to