Key management for PCI DSS compliance
I have a client I'm helping with their PCI compliance effort. One question I have is where to store the key that encrypts account numbers, etc. Right now, it's in one location in their CF code. Is there a better practice? I understand that storing it in the same database that contains the encrypted data is a no-no (seems sensible). The cost of an external HSM box just for key management seems prohibitive. Is there an easier way that others here have used? Thanks, Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336254 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Key management for PCI DSS compliance
http://www.braintreepaymentsolutions.com/services/pci-compliance On Fri, Aug 13, 2010 at 9:52 AM, Dave Burns cft...@burnsorama.com wrote: I have a client I'm helping with their PCI compliance effort. One question I have is where to store the key that encrypts account numbers, etc. Right now, it's in one location in their CF code. Is there a better practice? I understand that storing it in the same database that contains the encrypted data is a no-no (seems sensible). The cost of an external HSM box just for key management seems prohibitive. Is there an easier way that others here have used? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336255 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Key management for PCI DSS compliance
Storing the key in the same db is ok, if you also encrypt the key. You might use a combination of the app name and the timestamp of the key record as the key to unencrypt the key (wow that's confusing). Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com On 8/13/2010 8:52 AM, Dave Burns wrote: I have a client I'm helping with their PCI compliance effort. One question I have is where to store the key that encrypts account numbers, etc. Right now, it's in one location in their CF code. Is there a better practice? I understand that storing it in the same database that contains the encrypted data is a no-no (seems sensible). The cost of an external HSM box just for key management seems prohibitive. Is there an easier way that others here have used? Thanks, Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336256 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Extracting data from Java ByteArrayOutputStream
This should give you the cfhttp response as a string, when you get back a byte array: cfhttp.filecontent.toString(UTF-8) -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 12, 2010 at 12:22 PM, Jeff Chastain jeff.chast...@admentus.com wrote: Dave, Per my message earlier this week (http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336189), when I try cfinvoke or createObject( webservice ..., I am getting an AxisFault error that I cannot get around. When I use cfhttp to post, I am getting the expected response back, but in a ByteArrayOutputStream. Thanks -- Jeff I am working with a SOAP web service in CF 8.0.1 and the filecontent attribute of the cfhttp response is a java.io.ByteArrayOutputStream. If I use the toString() method to convert this to text, I can see the XML response data plus the binary image strings that I was expecting. The problem is, I am not sure how to get this information out of the ByteArrayOutputStream. Out of curiosity, is there a reason why you're using CFHTTP to invoke a SOAP service instead of CFINVOKE? If you can't use CFINVOKE, you can probably just invoke the underlying Axis classes using Java. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336257 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Extracting data from Java ByteArrayOutputStream
Pete, This does have me an ASCII string of the contents of the byte array. After a lot of string parsing, I can get the SOAP envelope out and convert it to XML. However, the binary images that are also included here are apparently encoded some how and I have yet to be able to use any form of ColdFusion decoding process to get them into a readable format. Is there a better way to covert this byte array / string into something usable within ColdFusion without a bunch of string parsing and decoding? Thanks -- Jeff On 8/13/2010 10:34 AM, Pete Freitag wrote: This should give you the cfhttp response as a string, when you get back a byte array: cfhttp.filecontent.toString(UTF-8) -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 12, 2010 at 12:22 PM, Jeff Chastain jeff.chast...@admentus.com wrote: Dave, Per my message earlier this week (http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336189), when I trycfinvoke or createObject( webservice ..., I am getting an AxisFault error that I cannot get around. When I usecfhttp to post, I am getting the expected response back, but in a ByteArrayOutputStream. Thanks -- Jeff I am working with a SOAP web service in CF 8.0.1 and the filecontent attribute of the cfhttp response is a java.io.ByteArrayOutputStream. If I use the toString() method to convert this to text, I can see the XML response data plus the binary image strings that I was expecting. The problem is, I am not sure how to get this information out of the ByteArrayOutputStream. Out of curiosity, is there a reason why you're using CFHTTP to invoke a SOAP service instead of CFINVOKE? If you can't use CFINVOKE, you can probably just invoke the underlying Axis classes using Java. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336258 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Preventing use of remote method by other sites
I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336259 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Preventing use of remote method by other sites
I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336260 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Hi, I would instantiate a session variable on begin of calling page, add it to the parameters when calling the function, and then just check in the remote function if the one given via parameter matches the one from session scope. Regards, Stephan I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336261 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Move CF website to non CF host
Hi, newbie here so I apologize in advance. I had a website developed that used an MS SQL database and it was done with CF. I no longer require the database or MS SQL as that part (one page) of the site is no longer used. I would like to move that site to be hosted without CF (or MS SQL). Can I just post it and have the html code run correctly without CF on the new host? Sorry for the lack of details and I'm sure there are particulars that may or may not influence the answer so a maybe, absolutely not or no problem answer are all acceptable. Thanks for any input. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336262 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Hi, if your site (mean the viewed pages of the site) aren't cfm pages anymore and all are html pages (or something alike), yes you sure can. But if some called pages have cfml extension, you still need CF application server to be served to the web server. Stephane Hi, newbie here so I apologize in advance. I had a website developed that used an MS SQL database and it was done with CF. I no longer require the database or MS SQL as that part (one page) of the site is no longer used. I would like to move that site to be hosted without CF (or MS SQL). Can I just post it and have the html code run correctly without CF on the new host? Sorry for the lack of details and I'm sure there are particulars that may or may not influence the answer so a maybe, absolutely not or no problem answer are all acceptable. Thanks for any input. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336263 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF8 DateFormat supporting Time mask? Since when?
I've always thought it sucked that DateFormat didn't support both date and time masks. Then today I'm making a date string DateFormat(dObj,mm/dd/). I copy and paste and change the mask to DateFormat(dObj,h:mm tt). I hit refresh and I end up with 11:30 tt as my string. I look back at the code and realize that I've forgotten to change it to TimeFormat from DateFormat when I pasted. Then I realized, holy crap, DateFormat is showing me the right time. I was shocked. How long has this been this way? I know it used to error out, but I have no idea how many years ago it was that I last fiddled with it. Then I got to wondering, why didn't they add support for tt in the mask as well? It seems natural that if you are going to accept time masks you should also accept am/pm. Has anyone else noticed this? How long has it been this way? Anyone know why Adobe didn't add support for tt? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336264 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Do the other pages of your site that you want to keep end in .cfm, or do they end in .htm or .html? If they are .htm files then you should be good to go (there are cases where you might not be, but you are most likely ok) If they are .cfm files, can you run a file search/scan on your codebase/html/cfm files, and look for cf without the quotes inside those files? If they are .cfm files, but do not contain any cf tags, then you have html pages named .cfm. At that point you could either rename the pages to .htm (and fix all the links), build some sort of htaccess/rewrite rule to forward broken links, or teach your web server to handle .cfm files as if they were just html, rather than coldfusion. (There are many exceptions to the above, but the options above cover most sites I've seen and dealt with) Jerry Johnson On Fri, Aug 13, 2010 at 2:33 PM, Jerry Cooper jcoo...@excite.com wrote: Hi, newbie here so I apologize in advance. I had a website developed that used an MS SQL database and it was done with CF. I no longer require the database or MS SQL as that part (one page) of the site is no longer used. I would like to move that site to be hosted without CF (or MS SQL). Can I just post it and have the html code run correctly without CF on the new host? Sorry for the lack of details and I'm sure there are particulars that may or may not influence the answer so a maybe, absolutely not or no problem answer are all acceptable. Thanks for any input. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336265 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
If there's nothing dynamic about your pages you could just copy the compiled page and paste it into notepad. Then just save the page as whatevs.html. So go to index.cfm. In your browser click view source. Copy, and paste into notepad. Save as index.html. I think that's what your asking. Note that you're going to want to do 301 redirects to preserve link and seo goodness. On Fri, Aug 13, 2010 at 2:33 PM, Jerry Cooper jcoo...@excite.com wrote: Hi, newbie here so I apologize in advance. I had a website developed that used an MS SQL database and it was done with CF. I no longer require the database or MS SQL as that part (one page) of the site is no longer used. I would like to move that site to be hosted without CF (or MS SQL). Can I just post it and have the html code run correctly without CF on the new host? Sorry for the lack of details and I'm sure there are particulars that may or may not influence the answer so a maybe, absolutely not or no problem answer are all acceptable. Thanks for any input. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
ShadoCMS / ZoomFlex
Has anyone on the list used ShadoCMS or more importantly, ZoomFlex from Straker? If so, I would like to communicate with you offlist. Thanks! -Cameron -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: camer...@gmail. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336267 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336268 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Jerry, The problem that you'll run into is that there's going to be a lot of work involved in saving out the generated source code for each page as a .htm or .html file. A webserver that has not been set up to be aware of ColdFusion files (.cfm) read: does not have a ColdFusion installation to process .cfm files will send the raw .cfm page back to the requester *for download* instead of rendering the page. In short, anything that already has a .htm or .html extension will run fine, anything with a .cfm extension will need to have it's rendered output saved as a .html file before it's moved to the new server. On Fri, Aug 13, 2010 at 2:33 PM, Jerry Cooper jcoo...@excite.com wrote: Hi, newbie here so I apologize in advance. I had a website developed that used an MS SQL database and it was done with CF. I no longer require the database or MS SQL as that part (one page) of the site is no longer used. I would like to move that site to be hosted without CF (or MS SQL). Can I just post it and have the html code run correctly without CF on the new host? Sorry for the lack of details and I'm sure there are particulars that may or may not influence the answer so a maybe, absolutely not or no problem answer are all acceptable. Thanks for any input. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336270 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
here's another possibilty: If you're using CF9 and the built in AJAX functionality you can use the verifyClient attribute of CFFUNCTION to attach a security token to each request. CF will look for the token, if it doesn't see it, the request will be denied On Fri, Aug 13, 2010 at 2:17 PM, Andy Matthews li...@commadelimited.com wrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Hey Jerry, I'm going to offer another alternative. I'm assuming they want to move to another host, that doesnt support CF to save money on their monthly hosting fees. If that is so, you could instead move them to a host that charges very little for CF hosting. GoDaddy's basic CF packages is $4.99 a month. $3.99 is you pre-pay for a year... http://www.godaddy.com/hosting/hosting.aspx?ci=17075 http://www.godaddy.com/hosting/hosting.aspx?ci=17075This could save you all the labor of removing all of the CF code, re-naming the files to .html and losing any SEO value your site has. (Renaming all your files will kill the archives any of the Search Engines have on your site...) Just an alternative =] -- Alan Rother Manager, Phoenix Cold Fusion User Group, www.AZCFUG.org Twitter: @AlanRother ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336272 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise) On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote: Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
if we're going to pitch hosting options: I host my blog, http://www.sstwebworks.com with Alurium. They're running Railo which will run about 99% of the CFML code that's out there. They don't have GoDaddy's draconian sandboxing ( no use of the createObject() function stands out) and they're running the latest version of Railo where GoDaddy is running CF 7 or CF 8. Plans start at $3.75 a month http://alurium.com/clients/aff.php?aff=011 On Fri, Aug 13, 2010 at 4:30 PM, Alan Rother alan.rot...@gmail.com wrote: Hey Jerry, I'm going to offer another alternative. I'm assuming they want to move to another host, that doesnt support CF to save money on their monthly hosting fees. If that is so, you could instead move them to a host that charges very little for CF hosting. GoDaddy's basic CF packages is $4.99 a month. $3.99 is you pre-pay for a year... http://www.godaddy.com/hosting/hosting.aspx?ci=17075 http://www.godaddy.com/hosting/hosting.aspx?ci=17075This could save you all the labor of removing all of the CF code, re-naming the files to .html and losing any SEO value your site has. (Renaming all your files will kill the archives any of the Search Engines have on your site...) Just an alternative =] -- Alan Rother Manager, Phoenix Cold Fusion User Group, www.AZCFUG.org Twitter: @AlanRother ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336275 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Move CF website to non CF host
Nice affiliate link! Hope you make a few shekels from developers clicking. https://alurium.com/clients/affiliates.php -Original Message- From: Scott Stewart [mailto:webmas...@sstwebworks.com] Sent: Friday, August 13, 2010 4:40 PM To: cf-talk Subject: Re: Move CF website to non CF host if we're going to pitch hosting options: I host my blog, http://www.sstwebworks.com with Alurium. They're running Railo which will run about 99% of the CFML code that's out there. They don't have GoDaddy's draconian sandboxing ( no use of the createObject() function stands out) and they're running the latest version of Railo where GoDaddy is running CF 7 or CF 8. Plans start at $3.75 a month http://alurium.com/clients/aff.php?aff=011 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336276 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
But crossdomain policies would prevent it from being accessed via AJAX right? andy -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 3:33 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise) On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote: Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336277 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Wow, thanks for all the great info! To answer a couple questions. Pages ending in .cfm? Only index.cfm It's only 7 pages and all others are .html cf tags? There no cf tags on any of the pages. I just did a view source on all the pages and searched. Thanks again for all the effort to help somebody clueless! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336278 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Yes you are right. I just wasn't sure if you were building an API or something that would require public access. On Fri, Aug 13, 2010 at 1:48 PM, Andy Matthews li...@commadelimited.comwrote: But crossdomain policies would prevent it from being accessed via AJAX right? andy -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 3:33 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise) On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote: Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336279 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Okay. Phew. This is a single CFC available on our site. andy -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 4:17 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Yes you are right. I just wasn't sure if you were building an API or something that would require public access. On Fri, Aug 13, 2010 at 1:48 PM, Andy Matthews li...@commadelimited.comwrote: But crossdomain policies would prevent it from being accessed via AJAX right? andy -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 3:33 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise) On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote: Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336280 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Jerry, Just make sure that you convert index.cfm from the generated source code... and you should be good to go On Fri, Aug 13, 2010 at 4:45 PM, Jerry Cooper jcoo...@excite.com wrote: Wow, thanks for all the great info! To answer a couple questions. Pages ending in .cfm? Only index.cfm It's only 7 pages and all others are .html cf tags? There no cf tags on any of the pages. I just did a view source on all the pages and searched. Thanks again for all the effort to help somebody clueless! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336281 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
In short, anything that already has a .htm or .html extension will run fine, anything with a .cfm extension will need to have it's rendered output saved as a .html file before it's moved to the new server. Scott, Now I feel like I am taking advantage but here goes. When you say rendered output saved as an .html file do you mean just bringing up the home page in a browser and saving as index.html then replacing the index.cfm file with that? Sorry for dragging this out. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336282 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Exactly that. On Fri, Aug 13, 2010 at 5:31 PM, Jerry Cooper jcoo...@excite.com wrote: In short, anything that already has a .htm or .html extension will run fine, anything with a .cfm extension will need to have it's rendered output saved as a .html file before it's moved to the new server. Scott, Now I feel like I am taking advantage but here goes. When you say rendered output saved as an .html file do you mean just bringing up the home page in a browser and saving as index.html then replacing the index.cfm file with that? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336283 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Yes, just do a view source, copy the source into what ever editor you're using and save it as a .html file On Fri, Aug 13, 2010 at 5:41 PM, Jerry Johnson jmi...@gmail.com wrote: Exactly that. On Fri, Aug 13, 2010 at 5:31 PM, Jerry Cooper jcoo...@excite.com wrote: In short, anything that already has a .htm or .html extension will run fine, anything with a .cfm extension will need to have it's rendered output saved as a .html file before it's moved to the new server. Scott, Now I feel like I am taking advantage but here goes. When you say rendered output saved as an .html file do you mean just bringing up the home page in a browser and saving as index.html then replacing the index.cfm file with that? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Move CF website to non CF host
Excellent! Thanks again to all that contributed. I will return and let you all know the outcome of this adventure. I hate it when people leave these threads hanging without and ending. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336285 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm