Reputation: 2240
Authentication System using Coldfusion
I'm developing a site that will have an admin section. I've Googled this and have found conflicting information (on blogs) regarding the best way to implement this. I'm hoping that some of you SO developers will have first hand experience on this.
Is it better to have the login.cfm and login_process.cfm files within the Admin area or after authentication has been completed then route the user to the admin area? OR does it really matter? I'm leaning more towards the side of routing the user to the admin area AFTER authentication mainly just to hide the location of the admin area to people who don't have accounts to help ward off hacks.
Links supporting your answer is appreciated but not required unless I get conflicting answers. :)
Upvotes: 0
Views: 2056
Answers (2)
Reputation: 762
Remember that cf can only protect cfm files, it will not stop anyone acessing images,.html,.pdf docs etc if they know the url. So it depends what you want to protect. If it is a simple admin area them this will likely suffice. For best security if you need to secure non cf files and resources you should use htaccess or similar to protect entire folders and everything in them. There are ways to do it using cfcontent on a small scale.
Upvotes: 2
Reputation: 9890
It doesn't matter at all security-wise where your login scripts reside.
What does matter is that you actually check to make sure the user is authenticated and authorized before granting them access to the secure scripts, and not just relying on the the fact that they won't know where the admin URLs are until they've signed in. I can't tell you how many broken sites I've seen where the admin URLs have been indexed by Google, allowing anyone to get in who stumbles upon it.
So your authentication process should have two steps.
Authentication (your
login.cfmandlogin_process.cfmscripts). This should check a users credentials and then generally set something in the user'ssessionscope.Authorization (in your admin area). This should check to see if the user is logged in (looking at the
sessionvariable you set in step 1), and (if you're implementing role or permissions based authorization) whether the user has access to the requested resource, displaying an error or giving a redirect if they aren't.
If you're trying to protect a whole directory, it's usually easiest to implement this in an application.cfm|cfc in the admin directory (so it automatically gets invoked on all pages in that directory). If you go that route, it becomes easiest to put the login scripts outside of the protected directory so you don't end up requiring users to be logged in to get to the login script.
Upvotes: 3
Related Questions
- ColdFusion RESTful web service
- Creating a Persistant Login System using ColdFusion
- Getting Basic Authentication to work with ColdFusion
- ColdFusion 10 Active Directory Authentication
- How can I implement user authentication for ColdFusion Web Services called from a mobile application?
- Creating a login system using Coldfusion
- develop login application with coldfusion and java
- ColdFusion: server-side user validations
- Log in using CFHTTP
- Coldfusion Cross site authentication