securing remote CFCs in Coldfusion

Question

I'm having a lot of trouble finding information about securing remote functions on Coldfusion CFCs for AJAX calls. Lets say you're retrieving sensitive information for a user after the user logs in to the site via an AJAX call. You call something like this:

https://www.mySite.com/pathToCFC/MyCFC.cfc?method=getBankInfo&userID=2343

So this is obviously super insecure as anyone could call this from a browser and change userID to get different user's bank info.

I've read about using the roles attribute on the remote function and using cflogin to authenticate a user, but even with this in place, wouldn't you have to pass the userID like the above call? Wouldn't an authenticated user still be able to switch the userID to discover new user's bank info?

Answer 1

Wait a second, if you have user X which has to request his details from the server, you don't need his ID, you have it in session, or if you use cflogin feature you'll have getUserAuth().

I you have administrator who can see other users details and you're worried about him seeing bank details you need roles, cf's roles or your custom solution etc.

In any case you don't need to send explicit call "gimme bank account details for user 3456"..

Answer 2

Don't pass the userid from the client. The userid and other sensitive data should be stored server-side. In fact, every bit of data passed from the client must be considered suspect, and validated.

So, if you're using cflogin, for instance, and you're on a single server, or a sticky-sessioned server, then store the userid and any other critical information in the session scope.

On each request, you fetch this data from the session, not from what the client provides.

This a good starting point on User Security in Coldfusion