You might think about using a CFLOCATION instead to redirect to an "unauthorized" page that will have a full set of HTML. Using CFABORT in the middle of the page like that will cause the closing tags to get cut off and some browsers will freak out and not even display the message at all.
As for the security itself, it looks ok, but there's no way to tell for certain if something is "secure" or not without seeing all of the code that touches those variables. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com ----- Original Message ----- From: "Jeff Brown" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, May 23, 2002 11:07 AM Subject: page security using <cfabort> > I am planning on adding role based page level security to my application by > adding this chunk of code to every page: > > <body> > <cfif ListFindNoCase("AllowedRole1,AllowedRole2,AllowedRole3", > #session.user_role#, ",") EQ 0> > You are not authorized to view this page. <cfabort> > </cfif> > > .. [page content] ... > > </body> > > Session.user_role is set when the user logs in to the app. Is this a fairly > standard way to do it? Certain pages should not be viewable by certain > roles, can anyone think of an instance where a user could get past this? > TIA. > > v/r, > Jeff > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
