RE: Application security structure
You pretty much have it. Change this: cfif session.Auth.UserID eq 0 script document.location=int.cfm /script /cfif Into this: cfif session.Auth.UserID eq 0 and FindNoCase('int.cfm',Script_Name) script document.location=int.cfm /script /cfif Bryan F. Hogan Director of Internet Development Team Macromedia Volunteer Macromedia Certified ColdFusion MX Developer Digital Bay Media, Inc. 1-877-72DIGITAL -Original Message- From: John Stanley [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:40 PM To: CF-Talk Subject: Application security structure Running CFMX Okay, this is a very basic question for alot of you, but one that gives me pause everytime it comes up. I am developing a large application-level web site that will house several smaller applications inside of it. I am using application and user-groups defined roles for each user to limit their access to whatever I want them to see. This all works great. Here is my problem: 1. The appliation.cfm loads with every page request. 2. If there is no Session.Auth structure, it makes one. 3. The session scope for the application tag in my application.cfm is set to timeout after 20 minutes. 4. If the browser has had no activity for the prescribed length of time, the user on the next page request should be prompted to log in again. 5. I cannot figuire out how to redirect the user by using code on the application.cfm to do this. Sort of like the following: cfif not isdefined(session.Auth) cfset session.Auth = structNew() cfset session.Auth.UserID = 0 cfset session.Auth.LoginAttempts = 0 cfset session.Auth.AppList = cfelse cfif session.Auth.UserID eq 0 script document.location=int.cfm /script /cfif /cfif This should be very easy, but I just cant get my head around it. I keep getting the million-page-loading problem. Any thoughts. :-) John ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Application security structure
P.S. It should be: cfif session.Auth.UserID eq 0 and not FindNoCase('init.cfm',Script_Name) Bryan F. Hogan Director of Internet Development Team Macromedia Volunteer Macromedia Certified ColdFusion MX Developer Digital Bay Media, Inc. 1-877-72DIGITAL -Original Message- From: John Stanley [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:40 PM To: CF-Talk Subject: Application security structure Running CFMX Okay, this is a very basic question for alot of you, but one that gives me pause everytime it comes up. I am developing a large application-level web site that will house several smaller applications inside of it. I am using application and user-groups defined roles for each user to limit their access to whatever I want them to see. This all works great. Here is my problem: 1. The appliation.cfm loads with every page request. 2. If there is no Session.Auth structure, it makes one. 3. The session scope for the application tag in my application.cfm is set to timeout after 20 minutes. 4. If the browser has had no activity for the prescribed length of time, the user on the next page request should be prompted to log in again. 5. I cannot figuire out how to redirect the user by using code on the application.cfm to do this. Sort of like the following: cfif not isdefined(session.Auth) cfset session.Auth = structNew() cfset session.Auth.UserID = 0 cfset session.Auth.LoginAttempts = 0 cfset session.Auth.AppList = cfelse cfif session.Auth.UserID eq 0 script document.location=int.cfm /script /cfif /cfif This should be very easy, but I just cant get my head around it. I keep getting the million-page-loading problem. Any thoughts. :-) John ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Application security structure
You have to make an exception for the login page, else it keeps trying to redirect from the login page to the login page. You should also put a redirect at the bottom of the code block that handles creating the session variables, because if there is no autorization stored in session, then the user isn't logged in by definition. -- Ben Doom Programmer General Lackey Moonbow Software, Inc : -Original Message- : From: John Stanley [mailto:[EMAIL PROTECTED] : Sent: Thursday, March 27, 2003 1:40 PM : To: CF-Talk : Subject: Application security structure : : : Running CFMX : : Okay, this is a very basic question for alot of you, but one that gives me : pause everytime it comes up. : : I am developing a large application-level web site that will house several : smaller applications inside of it. I am using application and user-groups : defined roles for each user to limit their access to whatever I : want them to : see. This all works great. : : Here is my problem: : 1. The appliation.cfm loads with every page request. : 2. If there is no Session.Auth structure, it makes one. : 3. The session scope for the application tag in my : application.cfm is set to : timeout after 20 minutes. : 4. If the browser has had no activity for the prescribed length : of time, the : user on the next page request should be prompted to log in again. : 5. I cannot figuire out how to redirect the user by using code on the : application.cfm to do this. Sort of like the following: : : cfif not isdefined(session.Auth) : cfset session.Auth = structNew() : cfset session.Auth.UserID = 0 : cfset session.Auth.LoginAttempts = 0 : cfset session.Auth.AppList = : cfelse : cfif session.Auth.UserID eq 0 : script : document.location=int.cfm : /script : /cfif : /cfif : : This should be very easy, but I just cant get my head around it. I keep : getting the million-page-loading problem. : : Any thoughts. : : :-) : : John : : : : ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Application security structure
You need to check to see if the user is being redirected to that page. If they are, then they should skip the authentication. cfif not isDefined(session.Auth) and listLast(cgi.path_info, /) neq int.cfm - Original Message - From: John Stanley [EMAIL PROTECTED] Date: Thursday, March 27, 2003 11:39 am Subject: Application security structure Running CFMX Okay, this is a very basic question for alot of you, but one that gives me pause everytime it comes up. I am developing a large application-level web site that will house severalsmaller applications inside of it. I am using application and user-groups defined roles for each user to limit their access to whatever I want them to see. This all works great. Here is my problem: 1. The appliation.cfm loads with every page request. 2. If there is no Session.Auth structure, it makes one. 3. The session scope for the application tag in my application.cfm is set to timeout after 20 minutes. 4. If the browser has had no activity for the prescribed length of time, the user on the next page request should be prompted to log in again. 5. I cannot figuire out how to redirect the user by using code on the application.cfm to do this. Sort of like the following: cfif not isdefined(session.Auth) cfset session.Auth = structNew() cfset session.Auth.UserID = 0 cfset session.Auth.LoginAttempts = 0 cfset session.Auth.AppList = cfelse cfif session.Auth.UserID eq 0 script document.location=int.cfm /script /cfif /cfif This should be very easy, but I just cant get my head around it. I keepgetting the million-page-loading problem. Any thoughts. :-) John ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Application security structure
thanks for your help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:54 PM To: CF-Talk Subject: Re: Application security structure You need to check to see if the user is being redirected to that page. If they are, then they should skip the authentication. cfif not isDefined(session.Auth) and listLast(cgi.path_info, /) neq int.cfm - Original Message - From: John Stanley [EMAIL PROTECTED] Date: Thursday, March 27, 2003 11:39 am Subject: Application security structure Running CFMX Okay, this is a very basic question for alot of you, but one that gives me pause everytime it comes up. I am developing a large application-level web site that will house severalsmaller applications inside of it. I am using application and user-groups defined roles for each user to limit their access to whatever I want them to see. This all works great. Here is my problem: 1. The appliation.cfm loads with every page request. 2. If there is no Session.Auth structure, it makes one. 3. The session scope for the application tag in my application.cfm is set to timeout after 20 minutes. 4. If the browser has had no activity for the prescribed length of time, the user on the next page request should be prompted to log in again. 5. I cannot figuire out how to redirect the user by using code on the application.cfm to do this. Sort of like the following: cfif not isdefined(session.Auth) cfset session.Auth = structNew() cfset session.Auth.UserID = 0 cfset session.Auth.LoginAttempts = 0 cfset session.Auth.AppList = cfelse cfif session.Auth.UserID eq 0 script document.location=int.cfm /script /cfif /cfif This should be very easy, but I just cant get my head around it. I keepgetting the million-page-loading problem. Any thoughts. :-) John ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Application security structure
bryan, thanks for your help -Original Message- From: Bryan F. Hogan [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:46 PM To: CF-Talk Subject: RE: Application security structure P.S. It should be: cfif session.Auth.UserID eq 0 and not FindNoCase('init.cfm',Script_Name) Bryan F. Hogan Director of Internet Development Team Macromedia Volunteer Macromedia Certified ColdFusion MX Developer Digital Bay Media, Inc. 1-877-72DIGITAL -Original Message- From: John Stanley [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:40 PM To: CF-Talk Subject: Application security structure Running CFMX Okay, this is a very basic question for alot of you, but one that gives me pause everytime it comes up. I am developing a large application-level web site that will house several smaller applications inside of it. I am using application and user-groups defined roles for each user to limit their access to whatever I want them to see. This all works great. Here is my problem: 1. The appliation.cfm loads with every page request. 2. If there is no Session.Auth structure, it makes one. 3. The session scope for the application tag in my application.cfm is set to timeout after 20 minutes. 4. If the browser has had no activity for the prescribed length of time, the user on the next page request should be prompted to log in again. 5. I cannot figuire out how to redirect the user by using code on the application.cfm to do this. Sort of like the following: cfif not isdefined(session.Auth) cfset session.Auth = structNew() cfset session.Auth.UserID = 0 cfset session.Auth.LoginAttempts = 0 cfset session.Auth.AppList = cfelse cfif session.Auth.UserID eq 0 script document.location=int.cfm /script /cfif /cfif This should be very easy, but I just cant get my head around it. I keep getting the million-page-loading problem. Any thoughts. :-) John ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Application security structure
ben, thanks for your help -Original Message- From: Ben Doom [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:49 PM To: CF-Talk Subject: RE: Application security structure You have to make an exception for the login page, else it keeps trying to redirect from the login page to the login page. You should also put a redirect at the bottom of the code block that handles creating the session variables, because if there is no autorization stored in session, then the user isn't logged in by definition. -- Ben Doom Programmer General Lackey Moonbow Software, Inc : -Original Message- : From: John Stanley [mailto:[EMAIL PROTECTED] : Sent: Thursday, March 27, 2003 1:40 PM : To: CF-Talk : Subject: Application security structure : : : Running CFMX : : Okay, this is a very basic question for alot of you, but one that gives me : pause everytime it comes up. : : I am developing a large application-level web site that will house several : smaller applications inside of it. I am using application and user-groups : defined roles for each user to limit their access to whatever I : want them to : see. This all works great. : : Here is my problem: : 1. The appliation.cfm loads with every page request. : 2. If there is no Session.Auth structure, it makes one. : 3. The session scope for the application tag in my : application.cfm is set to : timeout after 20 minutes. : 4. If the browser has had no activity for the prescribed length : of time, the : user on the next page request should be prompted to log in again. : 5. I cannot figuire out how to redirect the user by using code on the : application.cfm to do this. Sort of like the following: : : cfif not isdefined(session.Auth) : cfset session.Auth = structNew() : cfset session.Auth.UserID = 0 : cfset session.Auth.LoginAttempts = 0 : cfset session.Auth.AppList = : cfelse : cfif session.Auth.UserID eq 0 : script : document.location=int.cfm : /script : /cfif : /cfif : : This should be very easy, but I just cant get my head around it. I keep : getting the million-page-loading problem. : : Any thoughts. : : :-) : : John : : : : ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Application security structure -- ADDENDUM
Yes it does matter, since this is a frame you do not want the login page loading inside the frame. You have: script document.location=int.cfm /script which will indeed load it into the frame. You want to do top.document.location instead. Example script top.document.location.href='int.cfm'; /script Bryan F. Hogan Director of Internet Development Team Macromedia Volunteer Macromedia Certified ColdFusion MX Developer Digital Bay Media, Inc. 1-877-72DIGITAL -Original Message- From: John Stanley [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 1:51 PM To: CF-Talk Subject: Application security structure -- ADDENDUM I dont know if this matters, but the default page for this site is int.cfm which is a frame page that calls the page content.cfm. this page checks to see whether the user has successfully logged in, and then directs them to the correct page. -Original Message- From: John Stanley Sent: Thursday, March 27, 2003 1:40 PM To: CF-Talk Subject: Application security structure Running CFMX Okay, this is a very basic question for alot of you, but one that gives me pause everytime it comes up. I am developing a large application-level web site that will house several smaller applications inside of it. I am using application and user-groups defined roles for each user to limit their access to whatever I want them to see. This all works great. Here is my problem: 1. The appliation.cfm loads with every page request. 2. If there is no Session.Auth structure, it makes one. 3. The session scope for the application tag in my application.cfm is set to timeout after 20 minutes. 4. If the browser has had no activity for the prescribed length of time, the user on the next page request should be prompted to log in again. 5. I cannot figuire out how to redirect the user by using code on the application.cfm to do this. Sort of like the following: cfif not isdefined(session.Auth) cfset session.Auth = structNew() cfset session.Auth.UserID = 0 cfset session.Auth.LoginAttempts = 0 cfset session.Auth.AppList = cfelse cfif session.Auth.UserID eq 0 script document.location=int.cfm /script /cfif /cfif This should be very easy, but I just cant get my head around it. I keep getting the million-page-loading problem. Any thoughts. :-) John ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4