Contents > Developing ColdFusion MX Applications > Securing Applications > About user security > Authenticating users About web server authentication PreviousNext

About web server authentication

All major web servers support basic HTTP authentication. Some web servers also support other authentication methods, including Digest HTTP authentication and Microsoft NTLM authentication.

Note: Basic HTTP authentication sends the user name and password in a base64-encoded string with each request. If you do not use SSL (Secure Sockets Layer) for all page transactions, the user ID and password are not protected from unauthorized access.

Note: Macromedia DreamWeaver MX and Studio MX do not support NTLM security with RDS. Therefore, you cannot use RDS with these applications if the ColdFusion RDS servlet (cf_root/CFIDE/main/ide.cfm) is in a directory that is protected using NTLM security.

In web server authentication, the web server requires the user to log in to access pages in a particular directory, as follows:

  1. When the user first requests a page in the secured directory, the web server presents the user with a login page.
  2. The user fills in the login page and submits it.
  3. The web server checks the user's login ID and password, using its own user authentication mechanism.
  4. If the user logs in successfully, the browser caches the authentication information and sends it in an HTTP Authorization header with every subsequent page request from the user.
  5. The web server processes the requested page and all future page requests from the browser that contain the HTTP Authorization header, if it is valid for the requested page.

You can use web server authentication without using any ColdFusion security features. In this case, you configure and manage all user security through the web server's interfaces.

You can also use web server authentication with ColdFusion application authentication, and thus you can use ColdFusion security for authorization. If the web server uses basic HTML authentication, the ColdFusion cflogin tag provides access to the user ID and password that the user entered to log in to the web server. If the web server uses Digest or NTLM authentication, the cflogin tag normally gets the user ID, but not the password.

As a result, your application can rely on the web server to authenticate the user against its user and password information, and does not have to display a login page. You use the cflogin and cfloginuser tags to log the user into the ColdFusion user security system, and use the IsUserInRole and GetAuthUser functions to ensure user authorization. For more information on this form of security, see A web server authentication security scenario.

Note: If a user has logged in using web server authentication and has not logged in using ColdFusion application authentication, the GetAuthUser tag returns the web server user ID. You could use this feature to combine web server authentication with application authorization based on the user's ID.
Contents > Developing ColdFusion MX Applications > Securing Applications > About user security > Authenticating users About web server authentication PreviousNext

ColdFusion 9 | ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting

Version 6.1

Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.

 

Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/6.1/htmldocs/appsecu8.htm