Thanks all for your suggestions! Cameron, you mentioned sessions will be available in both your CFM pages and CFCs as long as they share a common Application.cfc file. So, you'd put the CFC in the same directory as the CFM?
And, if I did that, the request for the CFC would still cause an onRequestStart event in Application.cfc? Right now, my onRequestStart function checks to see if the user is logged in and has the correct permissions. If not, they get redirected to a login page. So, this would work with a CFC call too? I'm also wondering what happens when the session expires. The user opens the page then goes to lunch. They come back and try to edit or delete a user, but the session has expired. I guess I could set a really short session timeout to see what happens. But, is there a better way to test something like this? Thanks again to everyone for your help! Clarke -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cameron Childress Sent: Monday, July 21, 2008 11:01 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Securing CFCs This is actually one of the biggest security problems on the internet right now, unprotected web services, remoting services, AJAX services. You can actually solve this a number of different ways. You might check out the "Securing Web Services" section in the docs first: http://livedocs.adobe.com/coldfusion/8/htmldocs/webservices_22.html There is also a link on that page to "Securing Applications": http://livedocs.adobe.com/coldfusion/8/htmldocs/appSecurity_01.html Lastly, I would say that it's good to remember that any sessions you create on a CFM page should also be accessible in your CFCs, as long as they share a common Application.cfc file. This is a great way to enforce a common security model across CFM and CFC code... -Cameron On Mon, Jul 21, 2008 at 10:46 AM, Clarke Bishop <[EMAIL PROTECTED]> wrote: > I have one remaining problem to solve in my adventure with CF/Ajax. > The CFCs have to have access="remote". > > But, this means anyone can access the methods. What I built is a > master/detail, CRUD thing for administering users. So, I obviously > don't want some unauthorized person deleting my users or adding new ones. > > Normally, I've used access="public" before which wouldn't let an > outside user get to the methods. But, what's the best way to give > access to my valid CFM pages with Ajax and prevent access by bad guys? > > Thanks for any ideas! > > Clarke > > > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists Archive @ > http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > > -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------