Contents > Developing ColdFusion MX Applications > Securing Applications > Security scenarios > An application authentication security scenario

An application authentication security scenario

An application that does its own authentication might work as follows. The example in Application-based user security example implements this scenario.

1. Whenever ColdFusion receives a request for a ColdFusion page, it runs the contents of the Application.cfm page before it runs the requested page. The Application.cfm page contains a cflogin tag. ColdFusion executes the cflogin tag body if the user is not logged-in. A user is logged-in if the cfloginuser tag has run during the current session and the user had not been logged out by a cflogout tag.
2. Code in the cflogin tag body checks to see if it has received a user ID and password, normally from a login form.
3. If there is no user ID or password, the code in the cflogin tag body displays a login form that asks for the user's ID and password.

   The form posts the login information back to the originally requested page, and the cflogin tag in Application.cfm runs again. This time, the cflogin tag body code checks the user name and password against a database, LDAP directory, or other policy store, to ensure that the user is valid and get the user's roles.

4. If the user name and password are valid, the cflogin tag body code calls the cfloginuser tag with the user's ID, password, and roles, to identify the user to ColdFusion.
5. When the user is logged-in, application pages use the IsUserInRole function to check whether the user belongs to a role before they run protected code that must be available only to users in that role.

   The application can use the GetAuthUser function to determine the user ID; for example, to display the ID for personalization. It can also use the ID as a database key to get user-specific data.

6. Each application page displays a link to a logout form that uses the cflogout tag to log out the user. Typically, the logout link is in a page header that appears in all pages. The logout form can also be on the Application.cfm page.

Note: A log-out option is not always required, as the user is automatically logged out when all browser windows are closed (except when using ColdFusion Session variables) or is inactive for the login or session time-out period. If the user closes the browser, the login variables remain in the server memory until the session times. You can enhance security in cases where a system might be shared by providing a log-out facility. You must explicitly log out a user before a new user can log in while the browser is running.

While this scenario shows one method for implementing user security, it is only an example. For example, your application could require users to log in for only some pages, such as pages in a folder that contains administrative functions. When you design your user security implementation, remember the following:

• Code in the cflogin tag body executes only if there is no user logged in.
• With application authentication, you write the code that gets the identification from the user and tests this information against a secure credential store.
• After you have authenticated the user, you use the cfloginuser tag to log the user into ColdFusion.

The following figure shows this flow of control. For simplicity, it omits the log-out option.

Contents > Developing ColdFusion MX Applications > Securing Applications > Security scenarios > An application authentication security scenario

ColdFusion 9 | ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting

Version 6.1

Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.

Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/6.1/htmldocs/appsec21.htm

Add Comment