Link to home
Start Free TrialLog in
Avatar of jturkington

asked on

Best Security Framework ?

Looking advice on the best way to setup a security framework for my app, using CFMX 6.1 & SQL Server 2000 but upgrading to CFMX 7.0 soon.. : -
Main Concerns Are: -

1. Enabling certain user roles to view particular cfm pages. Not sure where the best place to perform this check in my security framework below or best way to approach this. Trying to protect against users typing in a url path and trying to call the page this way if they dont have it on their menu.

2. Displaying certain side menu options to users based on roles, at the minute i just use different sidemenu.cfm files for different roles, alot of duplication in each menu due to certain roles being able to see the same options  

3. Having alot of issues trying to close a users session down completely (j2ee session variables is ticked), but sometimes if a user logs out and a different user logs in, the existing SESSION.userid is still being used for the new user ??

4. I am open to moving away from the coldfusion default security framework cflogin, isuserinrole etc..

At the minute i use a header/Left Menu/Main Content Window Layout

So the loading of my pages are

1. Application.cfm

2. act_home.cfm (When Intranet Loads For First Time Determines What Page To Load First, Default Page In IIS)

3. Then a typical page would include the following: -

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link href="/styles.css" rel="stylesheet" type="text/css" />

<!--- Displays The Main Header At The Top Of The Page --->
<cfinclude template="/dsp_Header.cfm">

<!--- CFM code for this page --->  
<cfinclude template="/act_PageName.cfm">

<!--- HTML display code for this page --->

<!--- Footer Code If needed --->
<cfinclude template="/dsp_Footer.cfm">

So The Main CFM Files: -

<cfapplication name="Test" sessionmanagement="yes" clientmanagement="yes" clientstorage="CFMXVars">

<!--- Setup Request Variables for Intranet --->
<cfset REQUEST.dsn = "Intranet">
<cfset REQUEST.intranetversion = "Intranet v1.00">

<!--- Sets Locale to English UK --->
<cfset SetLocale("English (UK)")>

<cfif IsDefined("FORM.logout")>

<!--- Force The User To Login, if not already done so --->
      <cfif NOT IsDefined("cflogin")>
            <cfinclude template="LoginSystem/dsp_LoginForm.cfm">
            <cfif IS "" OR cflogin.password IS "">
                        <br /><br />
                        <p align="center"><b style='color:red'>Username & Password Must Be Entered</b></p>
                  <cfinclude template="/loginsystem/dsp_loginform.cfm">
                  <!--- Select UserId From Database  --->
                  <cfstoredproc procedure="spSelect_Login_Query" datasource="#REQUEST.dsn#">
                        <cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar" value="" null="no">
                        <cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar" value="#cflogin.password#" null="no">
                        <cfprocresult name="Get_LoginQuery">
                  <cfif Get_LoginQuery.Roles NEQ "">
                        <cfloginuser name="" Password = "#cflogin.password#" roles="#Get_LoginQuery.Roles#">
                        <cfset SESSION.userid = Get_LoginQuery.userid>      
                              <br /><br />
                              <p align="center"><b style='color:red'>Login failed check Username & Password<br /><br />Caps Lock On ?</b></p>
                        <cfinclude template="/LoginSystem/dsp_LoginForm.cfm">

<cfif IsUserInRole("Consultant")>
   <cflocation url="/dsp_consult_home.cfm" addtoken="no">
</cfif> etc...

<div id="Header"> <!--- CSS Styled --->
   <cfif GetAuthUser() NEQ "">
      <div align="left" style="float:left; margin-left:1em; ">
         <img src="/Images/logo.gif" />

      <div align="right">
         <!--- Header Options To Display etc.. --->
         <a href="/header_option1.cfm"><img src="header1.gif" border="0"></a>

<!--- Determine Left Menu To Display --->
<cfif IsUserInRole("Consultant")>
   <cfinclude template="dsp_SideMenu_Consult.cfm">
<cfelseif IsUserInRole("Administrator")>
   <cfinclude template="dsp_SideMenu_Admin.cfm">

<!--- Main Body Of Page Starts Here --->
<div id="Content">

<div id="Menu">
   <div class="sidemenu">
      <div class="sideheader" id="topbutton">
         <a href="*" title="Home Page">My Home</a>
      <div class="sidebuttons">
         <a href="*" title="">My Home Sub Button</a>
<div align="center">
   <p align="left" style="padding:0; margin:0; ">Login: <cfoutput><b>#getauthuser()#</b></cfoutput> </p>
   <form action="/act_home.cfm" method="Post">
      <input type="submit" Name="Logout" value="Logout" class="buttonstyle" style="margin:0; padding:0; ">

<!--- Basically Closes Off Main Body Div Tag & Enables Other Things To Display At Bottom If Needed --->


Avatar of SidFishes
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I believe addressed the issues