Security best practice

Posted on 2004-11-18
Last Modified: 2013-12-24
My apologies if this is not the right topic to ask this question in, but I have a Windows 2000 Server running IIS and SQL Server 2000 with Coldfusion 6.1.

Most of the sites I create simply use a query of a table in the database to authenticate and authorize users.  The not so simple part of that is that I then need to write every page to include a security check.

As a best practice, what is your opinion of the most efficient, yet secure, way to build a site?

I would prefer to just set a folder's permission somehow and let the server check for the proper credentials each time someone accesses a page than for me to have to check for authentication and authorization on every page.

Using Active Directory integration isn't an option for us.  I must use the sql server usernames and passwords for all authentication/authorization.

Thanks in advance,
Question by:prairieits
    LVL 35

    Accepted Solution

    If you cannot use Windows Integrated Login  - which it sounds like you can't - then you need to proceed with a spearately maintained login system.  You can't use a folder's permission settings if you are not using integrated login.

    One thing you could do is - if you know the IPs - then you can restrict the files/folders to those IP ranges.  This deals with authorization, but if you need authentication as well then you still have to write your own system.

    I know that isn't much help, but it sounds like you are already doing it the way you need to for your situation.
    LVL 4

    Author Comment


    Thanks for the feedback.  Everything I write is for internal use only, so restricting by IP won't work.  The people who I need to defend against are employees who don't have access to applications (in part or at all).  Right now, I run the query, make a cookie if they are listed as an administrative user, make another cookie with their login's unique system id and then use those 2 items to both authenticate (are you logged in?) the user and authorize (do you have permission to see this portion of an application?)

    I am putting that code on every page, so when I make an update, it is very slow because all pages need updating.  What I would like to see is something like a package called Authentix (see it at  The only problem is that it can handle initial authentication, but it doesn't handle authorization.

    I will keep this open for a little while to see if anyone else brainstorms about something that may be useful.

    LVL 8

    Expert Comment

    I write session variables and everything is written in Fusebox.

    After authentication,  a session variable is written to define authorization to each application.  The application is in its own folder and the index page has a simple if statement for authorization to that specific application.  If authorization fails, display the "no access, contact tech. dept." page.  
    LVL 22

    Expert Comment

    Hi prairieits,
    just check that out... :D

    LVL 2

    Assisted Solution

    I don't know if you are awary of it, but instead including the code on every page you can put it in the Application.cfm file...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    A web service ( is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
    Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now