You can check out my security application framework here (bottom of the
page):
http://www.depressedpress.com/Content/Development/ColdFusion/DPLibraries/Ind
ex.cfm
It's woefully undocumented, but all of the CFCs used are. The system is
completely CFC based and provides only the services for secur
t: Re: Application Security Framework or model available?
Sandy,
Thanks for the response. I'll take a look at your Fusebox plugin to see if
it gives me any ideas.
I am not using Fusebox.
I am using ColdFusion MX 7 with Mach-II and Oracle 9.2.
--
Th
If you're willing to accept the framework it comes with. :) There's a
complete security suite in the Members onTap plugin that would be able
to provide the kind of access you describe. You would probably need to
implement a RuleManager component to augment the security suite that's
built into the p
Sandy,
Thanks for the response. I'll take a look at your Fusebox plugin to
see if it gives me any ideas.
I am not using Fusebox.
I am using ColdFusion MX 7 with Mach-II and Oracle 9.2.
--
Thanks,
Troy
~|
Message: http://www.ho
If you are using Fusebox, I have a roles based security system that plugs
into the Fusebox permissions. Alternatively you could use it to secure
parts by simply making calls to application.security.validatepermissions().
You can create profiles which apply privileges.
Sample app and stuff are on
Nope no matter what I set the timeout to, I never get prompted to log
in after the first time.
Thanks
-- Jeff
_
From: Frank Mamone [mailto:[EMAIL PROTECTED]
Sent: Monday, May 31, 2004 8:23 PM
To: CF-Talk
Subject: Re: Application Security Confusion
Jeff,
What happens if you set
Jeff,
What happens if you set the Timeout to 0? Do they timeout then?
-Frank
- Original Message -
From: Jeff Chastain
To: CF-Talk
Sent: Monday, May 31, 2004 10:08 AM
Subject: RE: Application Security Confusion
Okay, Hal's tutorial fixed the browser close issue.
Ho
_
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Monday, May 31, 2004 7:14 PM
To: CF-Talk
Subject: RE: Application Security Confusion
> Suppose for some reason that I wanted to have session
> variables not ever expire. How would I go about attempting
> to do that with code
> Suppose for some reason that I wanted to have session
> variables not ever expire. How would I go about attempting
> to do that with code only - no changes to the administrator
> or anything else?
You would need to ensure that the browser always requests another page
before the inactivity time
Sorry, I'm out of ideas
> -Original Message-
> From: Jeff Chastain [mailto:[EMAIL PROTECTED]
> Sent: maandag 31 mei 2004 21:40
> To: CF-Talk
> Subject: RE: Application Security Confusion
>
> Nope, no frames at all in this app, and there are no
> automatic
[EMAIL PROTECTED]
> Sent: maandag 31 mei 2004 19:59
> To: CF-Talk
> Subject: RE: Application Security Confusion
>
> Okay, from more tests, it appears the problem is in the code
> somewhere. I have run a separate small test of the session
> variables on this server and
> the
ag 31 mei 2004 19:59
> To: CF-Talk
> Subject: RE: Application Security Confusion
>
> Okay, from more tests, it appears the problem is in the code
> somewhere. I have run a separate small test of the session
> variables on this server and
> they expire as expected. So
: CF-Talk
Subject: RE: Application Security Confusion
Your code? Did you try my suggestion and dump the session scope right
after the cfapplication tag?
Do you have any other cfapplication tags with the same name? (change the
name maybe)
Is there some code in there that makes requests without you
Subject: RE: Application Security Confusion
Your code? Did you try my suggestion and dump the session scope right
after the cfapplication tag?
Do you have any other cfapplication tags with the same name? (change the
name maybe)
Is there some code in there that makes requests without you seeing it
age-
> From: Jeff Chastain [mailto:[EMAIL PROTECTED]
> Sent: maandag 31 mei 2004 16:08
> To: CF-Talk
> Subject: RE: Application Security Confusion
>
> Okay, Hal's tutorial fixed the browser close issue.
>
> However, I still cannot get the session variables to tim
age-
> From: Jeff Chastain [mailto:[EMAIL PROTECTED]
> Sent: maandag 31 mei 2004 16:08
> To: CF-Talk
> Subject: RE: Application Security Confusion
>
> Okay, Hal's tutorial fixed the browser close issue.
>
> However, I still cannot get the session variables to tim
login.
Any thoughts on what might cause this?
Thanks
-- Jeff
_
From: Pascal Peters [mailto:[EMAIL PROTECTED]
Sent: Monday, May 31, 2004 3:52 AM
To: CF-Talk
Subject: RE: Application Security Confusion
Jeff,
They have to die at sessiontimeout, but NOT when you close your browser
(if yo
Jeff,
They have to die at sessiontimeout, but NOT when you close your browser
(if you are using CF sessions on CFMX or a lower version). If you use
J2EE sessions in CFMX, the session will end if you close all browser
windows.
Without seeing code, I can't imagine why the session would persist aft
owerful ally it is." - Yoda
> -Original Message-
> From: Robert Shaw [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 17, 2003 2:01 PM
> To: CF-Talk
> Subject: RE: Application Security in MX
>
>
> Thanks! Do you have an example? I don't see o
Thanks! Do you have an example? I don't see one in the documentation. Is it
as simple as applicationtoken=app1,app2?
Thanks again,
Rob
-Original Message-
From: Raymond Camden [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 17, 2003 3:54 PM
To: CF-Talk
Subject: RE: Application Securi
Use the ApplicationToken attribute for CFLOGIN. This allows you to share
them.
===
Raymond Camden, ColdFusion Jedi Master for Mindseye, Inc
(www.mindseye.com)
Member of Team Macromedia (http://www.macromedia.com/go/teammacrom
Yes it does matter, since this is a frame you do not want the login page
loading inside the frame.
You have:
document.location="int.cfm"
which will indeed load it into the frame.
You want to do top.document.location instead.
Example
top.document.location.href='int.cfm';
=
ben, thanks for your help
-Original Message-
From: Ben Doom [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 1:49 PM
To: CF-Talk
Subject: RE: Application security structure
You have to make an exception for the login page, else it keeps trying to
redirect from the login page to
bryan, thanks for your help
-Original Message-
From: Bryan F. Hogan [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 1:46 PM
To: CF-Talk
Subject: RE: Application security structure
P.S. It should be:
Bryan F. Hogan
Director of
thanks for your help
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 1:54 PM
To: CF-Talk
Subject: Re: Application security structure
You need to check to see if the user is being redirected to that page. If
they are, then they should
You need to check to see if the user is being redirected to that page. If they are,
then they should skip the authentication.
- Original Message -
From: John Stanley <[EMAIL PROTECTED]>
Date: Thursday, March 27, 2003 11:39 am
Subject: Application security structure
> Running CFMX
>
>
You have to make an exception for the login page, else it keeps trying to
redirect from the login page to the login page. You should also put a
redirect at the bottom of the code block that handles creating the session
variables, because if there is no autorization stored in session, then the
user
P.S. It should be:
Bryan F. Hogan
Director of Internet Development
Team Macromedia Volunteer
Macromedia Certified ColdFusion MX Developer
Digital Bay Media, Inc.
1-877-72DIGITAL
-Original Message-
You pretty much have it. Change this:
document.location="int.cfm"
Into this:
document.location="int.cfm"
Bryan F. Hogan
Director of Internet Development
Team Macromedia Volunteer
We've got at least up through updater 2 installed on my server. I'm
not sure about updater 3, but I suspect yes.
-Patti
On Friday, March 21, 2003, at 11:42 AM, Nathan Mische wrote:
> This sounds like the exact same issue I was having trying to use
> cflogin
> with integrated windows authen
This sounds like the exact same issue I was having trying to use cflogin
with integrated windows authentication on IIS 5. The issue seemed to be
resolved in updater 2.
--Nathan
~|
Archives: http:/
> Can you describe how you set up your web based security? I mean your
> web
> server settings to enable this.
>
I'm not the server admin, so I can't tell you exactly what's up. All I
know is that they're using Novell and "net id" what I do not know
is if "net id" is what the thing is actu
> well, not the login "form", but the login prompt that is
> thrown by the
> web server. I do log on as B, and the browser seems to know
> I'm B (the
> cgi.auth_user variable has changed), but it looks like the query to
> check and see if B is in my database never actually ran... which kind
> What 'auth_user'? The result of getAuthUser() you mean?
>
Yeah, the authentication token that shows up in cgi.auth_user...
>
> So, even if you logout - you can't login as someone else? Does your
> logon form show up if you close your brower and return? Ie, the system
> _at least_ know that you n
>
> Well, I posted a message here about a month or two ago that
> didn't get
> much play, and then I proxied my message to the CFGURU list through
> another member there. You tried valiantly to help there, but
> the end
> result was me giving up in frustration.
Ah -I thought it sounded a
Well, I posted a message here about a month or two ago that didn't get
much play, and then I proxied my message to the CFGURU list through
another member there. You tried valiantly to help there, but the end
result was me giving up in frustration.
I find that it is EXTREMELY difficult to su
Again? Am I missing another conversation. :) Can you elaborate?
-Ray
> I'm not getting back into it again, but there are further
> problems when
> you use idletimeout, sesion variables that are set in a
> block
> and deleted during and server authentication.
>
> -Patti
> On Thursday, Mar
cromedia)
>
> Email: [EMAIL PROTECTED]
> Blog : www.camdenfamily.com/morpheus/blog
> Yahoo IM : morpheus
>
> "My ally is the Force, and a powerful ally it is." - Yoda
>
>> -Original Message-
>> From: Patricia G. L. Hall [mailto:[EMAIL PRO
MAIL PROTECTED]
Blog : www.camdenfamily.com/morpheus/blog
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
> -Original Message-
> From: Patricia G. L. Hall [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 20, 2003 8:58 AM
> To: CF-Talk
> Subjec
I knew it.
On Monday, March 17, 2003, at 02:04 PM, Raymond Camden wrote:
> 1) If you use cflogin.* to check for logins, idleTimeout ceases to
> function.
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Su
> > It sounds like you are saying, I want to protect a
> subfolder, but not
> > a root folder. It also sounds like you will have multiple
> sub folders
> > to protect, each folder protected by roles. So, yes, your ROOT
> > application.cfm should contain a cfapplication tag and
> cflogin block
> on 3/17/03 12:51 PM, Raymond Camden at [EMAIL PROTECTED] wrote:
>
> > Available here...
> >
> > http://www.camdenfamily.com/morpheus/cf_preso.cfm
> >
>
> Wow, this is TRULY a great presentation, and I completely
> missed this one at devcon (I was way too concerned with
> trying to get a ha
on 3/17/03 12:51 PM, Raymond Camden at [EMAIL PROTECTED] wrote:
> Available here...
>
> http://www.camdenfamily.com/morpheus/cf_preso.cfm
>
Wow, this is TRULY a great presentation, and I completely missed this one
at devcon (I was way too concerned with trying to get a handle on the
Dreamnweav
on 3/17/03 12:38 PM, Raymond Camden at [EMAIL PROTECTED] wrote:
> It sounds like you are saying, I want to protect a subfolder, but not a
> root folder. It also sounds like you will have multiple sub folders to
> protect, each folder protected by roles. So, yes, your ROOT
> application.cfm should
/blog
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 17, 2003 11:48 AM
> To: CF-Talk
> Subject: RE: Application Security using cflogin an
et.
But then I maybe just getting old and set in my old fart ways. :)
Doug
>-Original Message-
>From: Jeff [mailto:[EMAIL PROTECTED]
>Sent: Monday, March 17, 2003 12:30 PM
>To: CF-Talk
>Subject: Re: Application Security using cflogin and cfloginuser
>
>
>on
: morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
> -Original Message-
> From: Jeff [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 17, 2003 11:35 AM
> To: CF-Talk
> Subject: Re: Application Security using cflogin and cfloginuser
>
>
> on 3
omedia
Email: [EMAIL PROTECTED]
Blog : www.camdenfamily.com/morpheus/blog
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
> -Original Message-
> From: Jeff [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 17, 2003 11:10 AM
>
on 3/17/03 12:27 PM, Raymond Camden at [EMAIL PROTECTED] wrote:
> Correct, becuase my 'core' Application.cfm will contain site-wide logic,
> but I have a specific need for this particular subfolder. So, unlike
> most Application.cfm files, you won't see a tag in it.
> We aren't defining a new appl
on 3/17/03 12:23 PM, [EMAIL PROTECTED] at
[EMAIL PROTECTED] wrote:
> depends...I know vague frustration going on here...but it does depend on how
> you set it up. I usually use a two dir system myself with a dir /login with
> its own application.cfm file that does no login check and an applicatio
> on 3/17/03 11:53 AM, Raymond Camden at [EMAIL PROTECTED] wrote:
> > Correct, although I normally recommend using self-posting forms. It
> > makes updates _much_ easier.
>
> Self posting forms, like the type that DreamweaverMX makes?
I wouldn't know - I use HomeSite+.
>
> >> Once the user su
Talk
>Subject: Re: Application Security using cflogin and cfloginuser
>
>
>on 3/17/03 11:49 AM, [EMAIL PROTECTED] at
>[EMAIL PROTECTED] wrote:
>> no need to place this check in every page...that's what
>application.cfm is
>> for.
>>
>>
>> D
on 3/17/03 11:53 AM, Raymond Camden at [EMAIL PROTECTED] wrote:
> Correct, although I normally recommend using self-posting forms. It
> makes updates _much_ easier.
Self posting forms, like the type that DreamweaverMX makes?
>> Once the user successfully logs in:
>> Place a line of code on each
on 3/17/03 11:49 AM, [EMAIL PROTECTED] at
[EMAIL PROTECTED] wrote:
> no need to place this check in every page...that's what application.cfm is
> for.
>
>
> Doug
>
Arrrgh...But I thought that any code in the application.cfm page was run
when every page was requested. If I put that code in my ap
> 1. Login.cfm will reside in the root and will take username
> and password 2. Login_process will ALSO reside in the root,
> and if the user successfully logs in, it sets a session,
> refreshes the parent window, then
Correct, although I normally recommend using self-posting forms. It
makes
>-Original Message-
>From: Jeff [mailto:[EMAIL PROTECTED]
>Sent: Monday, March 17, 2003 11:42 AM
>To: CF-Talk
>Subject: Re: Application Security using cflogin and cfloginuser
>
>
>on 3/17/03 11:14 AM, Raymond Camden at [EMAIL PROTECTED] wrote:
>> Well, if
on 3/17/03 11:14 AM, Raymond Camden at [EMAIL PROTECTED] wrote:
> Well, if it's user data like age, name, rank, etc, a struct seems to
> make more sense, but use whatever is best for you.
Actually, a struct makes a LOT of sense, and I see what you're saying now.
> Why not just use one applicatio
> on 3/17/03 10:46 AM, Raymond Camden at [EMAIL PROTECTED] wrote:
> > The cflogin tag has nothing to do with sessions. Period. As
> it stands,
> > you 'create' a session when you put the cfapplication tag in your
> > browser. I believe it exists even before you do your first > session.foo = 1>.
on 3/17/03 10:46 AM, Raymond Camden at [EMAIL PROTECTED] wrote:
> The cflogin tag has nothing to do with sessions. Period. As it stands,
> you 'create' a session when you put the cfapplication tag in your
> browser. I believe it exists even before you do your first session.foo = 1>. (Actually, I'm
> Darn, that did more to confuse me than anything else...
>
> So lemme get this straight, I'm not going to be able to start
> my logic with "does a session exist?" because the cflogin tag
> isn't going to do anything with sessions? Like create one?
The cflogin tag has nothing to do with session
on 3/17/03 10:23 AM, Raymond Camden at [EMAIL PROTECTED] wrote:
> The cflogin framework handles 2 basic things - authentication and
> authorization. User data would still need to be handled as it is now.
> For example, maybe on login you get info like the user's name and age.
> You could then store
> Also, if I use I'm limited to "name",
> "password", and "roles", but the table is going to store more
> information than that, that I'd like access to, like first
> and last name for instance. I'd like to display that on each
> page, but I'm not sure how to get it for each logged in user. Et
Archives of this list has covered this in pretty good detail.
>>> "Christian Abad" <[EMAIL PROTECTED]> 01/24/02 03:17PM >>>
Folks:
I am looking for a good resource on securing my CF applications. Is there
a
central repository for CF application security information? Does a
"checklist" of do's
> There is an article "Introduction to the Problem" by Hal
> Helms, Vol. 1 Issue
> 2 of the CFDJ which has a prototype of which you are
> describing or seems
> like what you are looking for.
Thanks... I'll check it out.
Aidan
--
Aidan Whitehall <[EMAIL PROTECTED]>
Macromedia ColdFusion Devel
>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Monday, September 17, 2001 9:14 AM
Subject: RE: Application security
> > When the user logs in, they're given a set of security
> > tokens. When the user takes action on a page, the page
> > checks to see if they ha
> When the user logs in, they're given a set of security
> tokens. When the user takes action on a page, the page
> checks to see if they have the tokens before
> proceeding.
> [ snip ]
This sounds interesting, but I'm trying to get away from a security
framework that requires security code on ev
You might try token-based security:
When the user logs in, they're given a set of security
tokens. When the user takes action on a page, the page
checks to see if they have the tokens before
proceeding.
Tokens can be hierarchical, e.g.
App1 = general user token for app1
App2 = general user toke
> http://www.cfhub.com/discussion/viewmessages.cfm?Forum=11&Topic=1534
> http://cfhub.com/discussion/viewmessages.cfm?Forum=11&Topic=1553
>
> My latest project required a "group" style of permissions
> management so I
> looked into BitMasks.
>
> Very interesting stuff... The "production" code i
> We use a Security structure like this:
>
> SecLevel.Admin = 1
> SecLevel.Update = 2
> SecLevel.Public = 3
> [ snip ]
Thanks for the reply. This is pretty similar to what's there already, but I
was after something that was a bit more "roles" based that perhaps created a
list of folder names tha
http://www.cfhub.com/discussion/viewmessages.cfm?Forum=11&Topic=1534
http://cfhub.com/discussion/viewmessages.cfm?Forum=11&Topic=1553
My latest project required a "group" style of permissions management so I
looked into BitMasks.
Very interesting stuff... The "production" code isn't finished, bu
We use a Security structure like this:
SecLevel.Admin = 1
SecLevel.Update = 2
SecLevel.Public = 3
The Higher access being the lowest number, so that any revisions to the
security would be higher numbers. Then we can do a numeric comparison for
access.
Next, we store the user's access level as
[back to login form maybe]
Logged In.
Once the user logs in correctly, the IsAuthorized check will never be run
until the session expires. You could easily use cookies or client vars,
etc.
Off the top of my head, but should be fi
72 matches
Mail list logo