Security best practice

My apologies if this is not the right topic to ask this question in, but I have a Windows 2000 Server running IIS and SQL Server 2000 with Coldfusion 6.1.

Most of the sites I create simply use a query of a table in the database to authenticate and authorize users.  The not so simple part of that is that I then need to write every page to include a security check.

As a best practice, what is your opinion of the most efficient, yet secure, way to build a site?

I would prefer to just set a folder's permission somehow and let the server check for the proper credentials each time someone accesses a page than for me to have to check for authentication and authorization on every page.

Using Active Directory integration isn't an option for us.  I must use the sql server usernames and passwords for all authentication/authorization.

Thanks in advance,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you cannot use Windows Integrated Login  - which it sounds like you can't - then you need to proceed with a spearately maintained login system.  You can't use a folder's permission settings if you are not using integrated login.

One thing you could do is - if you know the IPs - then you can restrict the files/folders to those IP ranges.  This deals with authorization, but if you need authentication as well then you still have to write your own system.

I know that isn't much help, but it sounds like you are already doing it the way you need to for your situation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
prairieitsAuthor Commented:

Thanks for the feedback.  Everything I write is for internal use only, so restricting by IP won't work.  The people who I need to defend against are employees who don't have access to applications (in part or at all).  Right now, I run the query, make a cookie if they are listed as an administrative user, make another cookie with their login's unique system id and then use those 2 items to both authenticate (are you logged in?) the user and authorize (do you have permission to see this portion of an application?)

I am putting that code on every page, so when I make an update, it is very slow because all pages need updating.  What I would like to see is something like a package called Authentix (see it at  The only problem is that it can handle initial authentication, but it doesn't handle authorization.

I will keep this open for a little while to see if anyone else brainstorms about something that may be useful.

I write session variables and everything is written in Fusebox.

After authentication,  a session variable is written to define authorization to each application.  The application is in its own folder and the index page has a simple if statement for authorization to that specific application.  If authorization fails, display the "no access, contact tech. dept." page.  
Hi prairieits,
just check that out... :D

I don't know if you are awary of it, but instead including the code on every page you can put it in the Application.cfm file...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.