[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Security best practice

Posted on 2004-11-18
Medium Priority
Last Modified: 2013-12-24
My apologies if this is not the right topic to ask this question in, but I have a Windows 2000 Server running IIS and SQL Server 2000 with Coldfusion 6.1.

Most of the sites I create simply use a query of a table in the database to authenticate and authorize users.  The not so simple part of that is that I then need to write every page to include a security check.

As a best practice, what is your opinion of the most efficient, yet secure, way to build a site?

I would prefer to just set a folder's permission somehow and let the server check for the proper credentials each time someone accesses a page than for me to have to check for authentication and authorization on every page.

Using Active Directory integration isn't an option for us.  I must use the sql server usernames and passwords for all authentication/authorization.

Thanks in advance,
Question by:prairieits
LVL 35

Accepted Solution

mrichmon earned 1400 total points
ID: 12616982
If you cannot use Windows Integrated Login  - which it sounds like you can't - then you need to proceed with a spearately maintained login system.  You can't use a folder's permission settings if you are not using integrated login.

One thing you could do is - if you know the IPs - then you can restrict the files/folders to those IP ranges.  This deals with authorization, but if you need authentication as well then you still have to write your own system.

I know that isn't much help, but it sounds like you are already doing it the way you need to for your situation.

Author Comment

ID: 12617984

Thanks for the feedback.  Everything I write is for internal use only, so restricting by IP won't work.  The people who I need to defend against are employees who don't have access to applications (in part or at all).  Right now, I run the query, make a cookie if they are listed as an administrative user, make another cookie with their login's unique system id and then use those 2 items to both authenticate (are you logged in?) the user and authorize (do you have permission to see this portion of an application?)

I am putting that code on every page, so when I make an update, it is very slow because all pages need updating.  What I would like to see is something like a package called Authentix (see it at flicks.com)  The only problem is that it can handle initial authentication, but it doesn't handle authorization.

I will keep this open for a little while to see if anyone else brainstorms about something that may be useful.


Expert Comment

ID: 12618369
I write session variables and everything is written in Fusebox.

After authentication,  a session variable is written to define authorization to each application.  The application is in its own folder and the index page has a simple if statement for authorization to that specific application.  If authorization fails, display the "no access, contact tech. dept." page.  
LVL 21

Expert Comment

ID: 12619259
Hi prairieits,
just check that out... :D


Assisted Solution

Crazee earned 600 total points
ID: 12624495
I don't know if you are awary of it, but instead including the code on every page you can put it in the Application.cfm file...

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month18 days, 15 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question