Bobby Hartsfield wrote: > I haven't seen the previous thread you mentioned but the "easiest" way to > secure specific templates is to have them all located under a central > location like /secure or /administrative or whatever. > > In the top level of that directory put an Application.cfm that includes your > "security script" so it is included in every template under that directory. > (You can also just include the parent application.cfm to bring any settings > in without duping any code.)
In my case, every file would need to have the file id associated with it so I'd just use the main application file. I like the include idea if I did have to break it off for some reason. > If you don't do it this way, and you have mixed templates (some secure some > not) all scattered under one root, I don't see a way around including your > script in every page that you want secured (other than querying for it's ID > to see if it is secure, but why waste the time effort or processing). Like above, I'll be keeping track of every file so that won't be an issue as far as some being secure and non-secure. I guess a better wording would be keeping track of files. I really want every file in the system to have a unique identifier, regardless if it's public or not. > If you already have it logically laid out like you want and you're only > concern is rather or not the cgi.script_name will fail on you, don't worry. > It won't. Ok, that's cool to know. And this CGI.script_name variable *always* refers to the file that's being called, correct? I know this should be the case, but I just want to do a sanity check. This *is* my security system so I want to make sure it's foolproof. I think what's going to be trick is converting the script_name to a path for cffile to understand. I'll have to look at the file/path functions available and hopefully I can extract what I need. Should be interesting... > Here is a good trick for unique template IDs > #hash(cgi.script_name)# You know, I thought of something like this. I was going to use the path/filename as the identifier, but then I'd run into the problem like you mentioned below: > If that is your templates uniqueid, there is no need to make sure it is set > at the top of every page. > > Once those hashes are stored in the database, the only thing that would pose > a problem would be moving or renaming the template. exactly. I want this system to be dynamic and flexible. I want to be able to move a file anywhere under the root and have the system always be able to identify it, regardless of filename or location. > I hope any of that helps (or even makes sense). definately. Thanks! > > ~Bobby > > -----Original Message----- > From: Mike Soultanian [mailto:[EMAIL PROTECTED] > Sent: Saturday, September 03, 2005 10:23 PM > To: CF-Talk > Subject: Question about my security system > > Like I mentioned in a previous post, I am creating a security system > that assigns each CF page it's own unique ID. Based on that file's id, > it keeps track on who has access to that page. To do this, I was going > to put a custom tag at the top of every page that I wanted to be secure > and then have the file edit itself and place a random "security ID" at > the top of the page. That ID would then be stored in the DB and have a > security setting applied to it through my security system. > > Now, the problem with me is I'm a forgetful person. So, instead of > putting the tag in every single file (which I might forget to do), how > about putting the tag in the Application file and then telling the tag > to edit the file referenced by the CGI script name variable. I haven't > yet tried it, but I'm hoping that variable would be referring to the > file being called, not the application.cfm file, even though the tag is > being run from the application.cfm file. That way, every single file on > my site is guaranteed to be secure. > > My question is whether or not that will pose any weird quirks. Is there > any reason or circumstance where the CGI Script Name variable wouldn't > refer to the file that the end-user was requesting? The CGI script name > variable comes from the web server, correct, and would *always* be > populated with a value of the target file, right? I can't think of > anything that would cause a problem, but that doesn't mean that there > would be a way around it (hence, my reason for asking the list). > Ultimately, I'm trying to figure out which way is more secure (in the > application.cfm file, or each file). > > I hope that's not too confusing what I'm trying to do. If you'd like > further explanation, let me know! > > Thanks, > Mike > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217314 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
