jturkington
asked on
Best Security Framework ?
Looking advice on the best way to setup a security framework for my app, using CFMX 6.1 & SQL Server 2000 but upgrading to CFMX 7.0 soon.. : -
Main Concerns Are: -
1. Enabling certain user roles to view particular cfm pages. Not sure where the best place to perform this check in my security framework below or best way to approach this. Trying to protect against users typing in a url path and trying to call the page this way if they dont have it on their menu.
2. Displaying certain side menu options to users based on roles, at the minute i just use different sidemenu.cfm files for different roles, alot of duplication in each menu due to certain roles being able to see the same options
3. Having alot of issues trying to close a users session down completely (j2ee session variables is ticked), but sometimes if a user logs out and a different user logs in, the existing SESSION.userid is still being used for the new user ??
4. I am open to moving away from the coldfusion default security framework cflogin, isuserinrole etc..
FRAMEWORK AT PRESENT
--------------------------
At the minute i use a header/Left Menu/Main Content Window Layout
So the loading of my pages are
1. Application.cfm
2. act_home.cfm (When Intranet Loads For First Time Determines What Page To Load First, Default Page In IIS)
3. Then a typical page would include the following: -
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title><cfoutput>#REQUEST.
<link href="/styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<!--- Displays The Main Header At The Top Of The Page --->
<cfinclude template="/dsp_Header.cfm"
<!--- CFM code for this page --->
<cfinclude template="/act_PageName.cf
<!--- HTML display code for this page --->
<!--- Footer Code If needed --->
<cfinclude template="/dsp_Footer.cfm"
</body>
</html>
So The Main CFM Files: -
Application.cfm
--------------------------
<cfapplication name="Test" sessionmanagement="yes" clientmanagement="yes" clientstorage="CFMXVars">
<!--- Setup Request Variables for Intranet --->
<cfset REQUEST.dsn = "Intranet">
<cfset REQUEST.intranetversion = "Intranet v1.00">
<!--- Sets Locale to English UK --->
<cfset SetLocale("English (UK)")>
<cfif IsDefined("FORM.logout")>
<cflogout>
</cfif>
<!--- Force The User To Login, if not already done so --->
<cflogin>
<cfif NOT IsDefined("cflogin")>
<cfinclude template="LoginSystem/dsp_
<cfabort>
<cfelse>
<cfif cflogin.name IS "" OR cflogin.password IS "">
<cfoutput>
<br /><br />
<p align="center"><b style='color:red'>Username
</cfoutput>
<cfinclude template="/loginsystem/dsp
<cfabort>
<cfelse>
<!--- Select UserId From Database --->
<cfstoredproc procedure="spSelect_Login_
<cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar"
<cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar"
<cfprocresult name="Get_LoginQuery">
</cfstoredproc>
<cfif Get_LoginQuery.Roles NEQ "">
<cfloginuser name="#cflogin.name#" Password = "#cflogin.password#" roles="#Get_LoginQuery.Rol
<cfset SESSION.userid = Get_LoginQuery.userid>
<cfelse>
<cfoutput>
<br /><br />
<p align="center"><b style='color:red'>Login failed check Username & Password<br /><br />Caps Lock On ?</b></p>
</cfoutput>
<cfinclude template="/LoginSystem/dsp
<cfabort>
</cfif>
</cfif>
</cfif>
</cflogin>
act_home.cfm
--------------------------
<cfif IsUserInRole("Consultant")
<cflocation url="/dsp_consult_home.cfm
</cfif> etc...
dsp_Header.cfm
--------------------------
<div id="Header"> <!--- CSS Styled --->
<cfif GetAuthUser() NEQ "">
<div align="left" style="float:left; margin-left:1em; ">
<img src="/Images/logo.gif" />
</div>
<div align="right">
<!--- Header Options To Display etc.. --->
<a href="/header_option1.cfm"
</div>
</cfif>
</div>
<!--- Determine Left Menu To Display --->
<cfif IsUserInRole("Consultant")
<cfinclude template="dsp_SideMenu_Con
<cfelseif IsUserInRole("Administrato
<cfinclude template="dsp_SideMenu_Adm
etc...
</cfif>
<!--- Main Body Of Page Starts Here --->
<div id="Content">
dsp_SideMenu_Consult.cfm
--------------------------
<div id="Menu">
<div class="sidemenu">
<div class="sideheader" id="topbutton">
<a href="*" title="Home Page">My Home</a>
</div>
<div class="sidebuttons">
<a href="*" title="">My Home Sub Button</a>
</div>
</div>
<br>
<div align="center">
<p align="left" style="padding:0; margin:0; ">Login: <cfoutput><b>#getauthuser(
<form action="/act_home.cfm" method="Post">
<input type="submit" Name="Logout" value="Logout" class="buttonstyle" style="margin:0; padding:0; ">
</form>
</div>
</div>
dsp_footer.cfm
--------------------------
<!--- Basically Closes Off Main Body Div Tag & Enables Other Things To Display At Bottom If Needed --->
</div>
Cheers
JT
Main Concerns Are: -
1. Enabling certain user roles to view particular cfm pages. Not sure where the best place to perform this check in my security framework below or best way to approach this. Trying to protect against users typing in a url path and trying to call the page this way if they dont have it on their menu.
2. Displaying certain side menu options to users based on roles, at the minute i just use different sidemenu.cfm files for different roles, alot of duplication in each menu due to certain roles being able to see the same options
3. Having alot of issues trying to close a users session down completely (j2ee session variables is ticked), but sometimes if a user logs out and a different user logs in, the existing SESSION.userid is still being used for the new user ??
4. I am open to moving away from the coldfusion default security framework cflogin, isuserinrole etc..
FRAMEWORK AT PRESENT
--------------------------
At the minute i use a header/Left Menu/Main Content Window Layout
So the loading of my pages are
1. Application.cfm
2. act_home.cfm (When Intranet Loads For First Time Determines What Page To Load First, Default Page In IIS)
3. Then a typical page would include the following: -
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title><cfoutput>#REQUEST.
<link href="/styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
<!--- Displays The Main Header At The Top Of The Page --->
<cfinclude template="/dsp_Header.cfm"
<!--- CFM code for this page --->
<cfinclude template="/act_PageName.cf
<!--- HTML display code for this page --->
<!--- Footer Code If needed --->
<cfinclude template="/dsp_Footer.cfm"
</body>
</html>
So The Main CFM Files: -
Application.cfm
--------------------------
<cfapplication name="Test" sessionmanagement="yes" clientmanagement="yes" clientstorage="CFMXVars">
<!--- Setup Request Variables for Intranet --->
<cfset REQUEST.dsn = "Intranet">
<cfset REQUEST.intranetversion = "Intranet v1.00">
<!--- Sets Locale to English UK --->
<cfset SetLocale("English (UK)")>
<cfif IsDefined("FORM.logout")>
<cflogout>
</cfif>
<!--- Force The User To Login, if not already done so --->
<cflogin>
<cfif NOT IsDefined("cflogin")>
<cfinclude template="LoginSystem/dsp_
<cfabort>
<cfelse>
<cfif cflogin.name IS "" OR cflogin.password IS "">
<cfoutput>
<br /><br />
<p align="center"><b style='color:red'>Username
</cfoutput>
<cfinclude template="/loginsystem/dsp
<cfabort>
<cfelse>
<!--- Select UserId From Database --->
<cfstoredproc procedure="spSelect_Login_
<cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar"
<cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar"
<cfprocresult name="Get_LoginQuery">
</cfstoredproc>
<cfif Get_LoginQuery.Roles NEQ "">
<cfloginuser name="#cflogin.name#" Password = "#cflogin.password#" roles="#Get_LoginQuery.Rol
<cfset SESSION.userid = Get_LoginQuery.userid>
<cfelse>
<cfoutput>
<br /><br />
<p align="center"><b style='color:red'>Login failed check Username & Password<br /><br />Caps Lock On ?</b></p>
</cfoutput>
<cfinclude template="/LoginSystem/dsp
<cfabort>
</cfif>
</cfif>
</cfif>
</cflogin>
act_home.cfm
--------------------------
<cfif IsUserInRole("Consultant")
<cflocation url="/dsp_consult_home.cfm
</cfif> etc...
dsp_Header.cfm
--------------------------
<div id="Header"> <!--- CSS Styled --->
<cfif GetAuthUser() NEQ "">
<div align="left" style="float:left; margin-left:1em; ">
<img src="/Images/logo.gif" />
</div>
<div align="right">
<!--- Header Options To Display etc.. --->
<a href="/header_option1.cfm"
</div>
</cfif>
</div>
<!--- Determine Left Menu To Display --->
<cfif IsUserInRole("Consultant")
<cfinclude template="dsp_SideMenu_Con
<cfelseif IsUserInRole("Administrato
<cfinclude template="dsp_SideMenu_Adm
etc...
</cfif>
<!--- Main Body Of Page Starts Here --->
<div id="Content">
dsp_SideMenu_Consult.cfm
--------------------------
<div id="Menu">
<div class="sidemenu">
<div class="sideheader" id="topbutton">
<a href="*" title="Home Page">My Home</a>
</div>
<div class="sidebuttons">
<a href="*" title="">My Home Sub Button</a>
</div>
</div>
<br>
<div align="center">
<p align="left" style="padding:0; margin:0; ">Login: <cfoutput><b>#getauthuser(
<form action="/act_home.cfm" method="Post">
<input type="submit" Name="Logout" value="Logout" class="buttonstyle" style="margin:0; padding:0; ">
</form>
</div>
</div>
dsp_footer.cfm
--------------------------
<!--- Basically Closes Off Main Body Div Tag & Enables Other Things To Display At Bottom If Needed --->
</div>
Cheers
JT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SidFishes
I believe addressed the issues