I'm still working through all this, but I found something new in CF8 that helps a bit.
http://www.adobe.com/devnet/coldfusion/articles/ajax_security.html You put verifyClient="true" in your CFC functions, and CF will then use Session management to verify that the Ajax call is coming from a page on the site. It doesn't help with my role-based access control, and it can probably be defeated, but at least it's another layer. Clarke -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cameron Childress Sent: Monday, July 21, 2008 4:44 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] Securing CFCs On Mon, Jul 21, 2008 at 4:06 PM, Clarke Bishop <[EMAIL PROTECTED]> wrote: > Cameron, you mentioned sessions will be available in both your CFM > pages and CFCs as long as they share a common Application.cfc file. > So, you'd put the CFC in the same directory as the CFM? Actually, I usually do something like this: /myApp - root application dir (put Application.cfc here) /myApp/components - dir for CFCs /myApp/wwwroot - dir for CFMs (this is the webroot in (IIS/apache/etc) > And, if I did that, the request for the CFC would still cause an > onRequestStart event in Application.cfc? Right now, my onRequestStart > function checks to see if the user is logged in and has the correct > permissions. If not, they get redirected to a login page. So, this > would work with a CFC call too? Usually I would just access the session from incide the CFCs directly. You don't have to put anything in the Application.cfc for your CFCs to be secure, you just need it to be there so you can access session data inside your CFC files. You could secure your CFCs in a number of ways, including calling a security CFC from within each CFC function to determine permissions. In your case would probably create a "security CFC" that handles logins, authentication, and access controls. You can then instantiate this CFC from inside any CFM or CFC and ask it about permissions. There are other ways to skin this problem too, that's just one... > I'm also wondering what happens when the session expires. The user > opens the page then goes to lunch. They come back and try to edit or > delete a user, but the session has expired. I guess I could set a > really short session timeout to see what happens. But, is there a > better way to test something like this? Well, if they try to make a AJAX call and the CFC says "no way" you should handle that response and send the user to the login screen, just like any CFM template would do, only you would be using AJAX instead. -Cameron -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------