Avatar of jturkington
jturkington
 asked on

Best Security Framework ?

Looking advice on the best way to setup a security framework for my app, using CFMX 6.1 & SQL Server 2000 but upgrading to CFMX 7.0 soon.. : -
Main Concerns Are: -

1. Enabling certain user roles to view particular cfm pages. Not sure where the best place to perform this check in my security framework below or best way to approach this. Trying to protect against users typing in a url path and trying to call the page this way if they dont have it on their menu.

2. Displaying certain side menu options to users based on roles, at the minute i just use different sidemenu.cfm files for different roles, alot of duplication in each menu due to certain roles being able to see the same options  

3. Having alot of issues trying to close a users session down completely (j2ee session variables is ticked), but sometimes if a user logs out and a different user logs in, the existing SESSION.userid is still being used for the new user ??

4. I am open to moving away from the coldfusion default security framework cflogin, isuserinrole etc..


FRAMEWORK AT PRESENT
----------------------------------------------------------------------------------------------------
At the minute i use a header/Left Menu/Main Content Window Layout

So the loading of my pages are

1. Application.cfm

2. act_home.cfm (When Intranet Loads For First Time Determines What Page To Load First, Default Page In IIS)

3. Then a typical page would include the following: -

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title><cfoutput>#REQUEST.intranetversion#</cfoutput></title>
<link href="/styles.css" rel="stylesheet" type="text/css" />
</head>

<body>
<!--- Displays The Main Header At The Top Of The Page --->
<cfinclude template="/dsp_Header.cfm">

<!--- CFM code for this page --->  
<cfinclude template="/act_PageName.cfm">

<!--- HTML display code for this page --->

<!--- Footer Code If needed --->
<cfinclude template="/dsp_Footer.cfm">
</body>
</html>

So The Main CFM Files: -

Application.cfm
---------------------------------------------------------------------------
<cfapplication name="Test" sessionmanagement="yes" clientmanagement="yes" clientstorage="CFMXVars">

<!--- Setup Request Variables for Intranet --->
<cfset REQUEST.dsn = "Intranet">
<cfset REQUEST.intranetversion = "Intranet v1.00">

<!--- Sets Locale to English UK --->
<cfset SetLocale("English (UK)")>

<cfif IsDefined("FORM.logout")>
   <cflogout>
</cfif>

<!--- Force The User To Login, if not already done so --->
<cflogin>
      <cfif NOT IsDefined("cflogin")>
            <cfinclude template="LoginSystem/dsp_LoginForm.cfm">
            <cfabort>
      <cfelse>
            <cfif cflogin.name IS "" OR cflogin.password IS "">
                  <cfoutput>
                        <br /><br />
                        <p align="center"><b style='color:red'>Username & Password Must Be Entered</b></p>
                  </cfoutput>
                  <cfinclude template="/loginsystem/dsp_loginform.cfm">
                  <cfabort>
            <cfelse>
                  <!--- Select UserId From Database  --->
                  <cfstoredproc procedure="spSelect_Login_Query" datasource="#REQUEST.dsn#">
                        <cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar" value="#cflogin.name#" null="no">
                        <cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar" value="#cflogin.password#" null="no">
                        <cfprocresult name="Get_LoginQuery">
                  </cfstoredproc>
                  
                  <cfif Get_LoginQuery.Roles NEQ "">
                        <cfloginuser name="#cflogin.name#" Password = "#cflogin.password#" roles="#Get_LoginQuery.Roles#">
                        <cfset SESSION.userid = Get_LoginQuery.userid>      
                  <cfelse>
                        <cfoutput>
                              <br /><br />
                              <p align="center"><b style='color:red'>Login failed check Username & Password<br /><br />Caps Lock On ?</b></p>
                        </cfoutput>  
                        <cfinclude template="/LoginSystem/dsp_LoginForm.cfm">
                        <cfabort>
                  </cfif>
            </cfif>  
      </cfif>
</cflogin>

act_home.cfm
-------------------------------------------------------------------------
<cfif IsUserInRole("Consultant")>
   <cflocation url="/dsp_consult_home.cfm" addtoken="no">
</cfif> etc...

dsp_Header.cfm
---------------------------------------------------------------------------
<div id="Header"> <!--- CSS Styled --->
   <cfif GetAuthUser() NEQ "">
      <div align="left" style="float:left; margin-left:1em; ">
         <img src="/Images/logo.gif" />
      </div>

      <div align="right">
         <!--- Header Options To Display etc.. --->
         <a href="/header_option1.cfm"><img src="header1.gif" border="0"></a>
      </div>
   </cfif>
</div>

<!--- Determine Left Menu To Display --->
<cfif IsUserInRole("Consultant")>
   <cfinclude template="dsp_SideMenu_Consult.cfm">
<cfelseif IsUserInRole("Administrator")>
   <cfinclude template="dsp_SideMenu_Admin.cfm">
etc...
</cfif>

<!--- Main Body Of Page Starts Here --->
<div id="Content">

dsp_SideMenu_Consult.cfm
----------------------------------------------------------------------------
<div id="Menu">
   <div class="sidemenu">
      <div class="sideheader" id="topbutton">
         <a href="*" title="Home Page">My Home</a>
      </div>
      <div class="sidebuttons">
         <a href="*" title="">My Home Sub Button</a>
      </div>
   </div>
<br>
<div align="center">
   <p align="left" style="padding:0; margin:0; ">Login: <cfoutput><b>#getauthuser()#</b></cfoutput> </p>
   <form action="/act_home.cfm" method="Post">
      <input type="submit" Name="Logout" value="Logout" class="buttonstyle" style="margin:0; padding:0; ">
   </form>
</div>
</div>


dsp_footer.cfm
-----------------------------------------
<!--- Basically Closes Off Main Body Div Tag & Enables Other Things To Display At Bottom If Needed --->
</div>

Cheers

JT
Web Servers

Avatar of undefined
Last Comment
SidFishes

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
SidFishes

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SidFishes

I believe addressed the issues
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes