troubleshooting Question

Best Security Framework ?

Avatar of jturkington
jturkington asked on
Web Servers
2 Comments1 Solution655 ViewsLast Modified:
Looking advice on the best way to setup a security framework for my app, using CFMX 6.1 & SQL Server 2000 but upgrading to CFMX 7.0 soon.. : -
Main Concerns Are: -

1. Enabling certain user roles to view particular cfm pages. Not sure where the best place to perform this check in my security framework below or best way to approach this. Trying to protect against users typing in a url path and trying to call the page this way if they dont have it on their menu.

2. Displaying certain side menu options to users based on roles, at the minute i just use different sidemenu.cfm files for different roles, alot of duplication in each menu due to certain roles being able to see the same options  

3. Having alot of issues trying to close a users session down completely (j2ee session variables is ticked), but sometimes if a user logs out and a different user logs in, the existing SESSION.userid is still being used for the new user ??

4. I am open to moving away from the coldfusion default security framework cflogin, isuserinrole etc..


FRAMEWORK AT PRESENT
----------------------------------------------------------------------------------------------------
At the minute i use a header/Left Menu/Main Content Window Layout

So the loading of my pages are

1. Application.cfm

2. act_home.cfm (When Intranet Loads For First Time Determines What Page To Load First, Default Page In IIS)

3. Then a typical page would include the following: -

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title><cfoutput>#REQUEST.intranetversion#</cfoutput></title>
<link href="/styles.css" rel="stylesheet" type="text/css" />
</head>

<body>
<!--- Displays The Main Header At The Top Of The Page --->
<cfinclude template="/dsp_Header.cfm">

<!--- CFM code for this page --->  
<cfinclude template="/act_PageName.cfm">

<!--- HTML display code for this page --->

<!--- Footer Code If needed --->
<cfinclude template="/dsp_Footer.cfm">
</body>
</html>

So The Main CFM Files: -

Application.cfm
---------------------------------------------------------------------------
<cfapplication name="Test" sessionmanagement="yes" clientmanagement="yes" clientstorage="CFMXVars">

<!--- Setup Request Variables for Intranet --->
<cfset REQUEST.dsn = "Intranet">
<cfset REQUEST.intranetversion = "Intranet v1.00">

<!--- Sets Locale to English UK --->
<cfset SetLocale("English (UK)")>

<cfif IsDefined("FORM.logout")>
   <cflogout>
</cfif>

<!--- Force The User To Login, if not already done so --->
<cflogin>
      <cfif NOT IsDefined("cflogin")>
            <cfinclude template="LoginSystem/dsp_LoginForm.cfm">
            <cfabort>
      <cfelse>
            <cfif cflogin.name IS "" OR cflogin.password IS "">
                  <cfoutput>
                        <br /><br />
                        <p align="center"><b style='color:red'>Username & Password Must Be Entered</b></p>
                  </cfoutput>
                  <cfinclude template="/loginsystem/dsp_loginform.cfm">
                  <cfabort>
            <cfelse>
                  <!--- Select UserId From Database  --->
                  <cfstoredproc procedure="spSelect_Login_Query" datasource="#REQUEST.dsn#">
                        <cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar" value="#cflogin.name#" null="no">
                        <cfprocparam type="In" maxlength="50" cfsqltype="cf_sql_varchar" value="#cflogin.password#" null="no">
                        <cfprocresult name="Get_LoginQuery">
                  </cfstoredproc>
                  
                  <cfif Get_LoginQuery.Roles NEQ "">
                        <cfloginuser name="#cflogin.name#" Password = "#cflogin.password#" roles="#Get_LoginQuery.Roles#">
                        <cfset SESSION.userid = Get_LoginQuery.userid>      
                  <cfelse>
                        <cfoutput>
                              <br /><br />
                              <p align="center"><b style='color:red'>Login failed check Username & Password<br /><br />Caps Lock On ?</b></p>
                        </cfoutput>  
                        <cfinclude template="/LoginSystem/dsp_LoginForm.cfm">
                        <cfabort>
                  </cfif>
            </cfif>  
      </cfif>
</cflogin>

act_home.cfm
-------------------------------------------------------------------------
<cfif IsUserInRole("Consultant")>
   <cflocation url="/dsp_consult_home.cfm" addtoken="no">
</cfif> etc...

dsp_Header.cfm
---------------------------------------------------------------------------
<div id="Header"> <!--- CSS Styled --->
   <cfif GetAuthUser() NEQ "">
      <div align="left" style="float:left; margin-left:1em; ">
         <img src="/Images/logo.gif" />
      </div>

      <div align="right">
         <!--- Header Options To Display etc.. --->
         <a href="/header_option1.cfm"><img src="header1.gif" border="0"></a>
      </div>
   </cfif>
</div>

<!--- Determine Left Menu To Display --->
<cfif IsUserInRole("Consultant")>
   <cfinclude template="dsp_SideMenu_Consult.cfm">
<cfelseif IsUserInRole("Administrator")>
   <cfinclude template="dsp_SideMenu_Admin.cfm">
etc...
</cfif>

<!--- Main Body Of Page Starts Here --->
<div id="Content">

dsp_SideMenu_Consult.cfm
----------------------------------------------------------------------------
<div id="Menu">
   <div class="sidemenu">
      <div class="sideheader" id="topbutton">
         <a href="*" title="Home Page">My Home</a>
      </div>
      <div class="sidebuttons">
         <a href="*" title="">My Home Sub Button</a>
      </div>
   </div>
<br>
<div align="center">
   <p align="left" style="padding:0; margin:0; ">Login: <cfoutput><b>#getauthuser()#</b></cfoutput> </p>
   <form action="/act_home.cfm" method="Post">
      <input type="submit" Name="Logout" value="Logout" class="buttonstyle" style="margin:0; padding:0; ">
   </form>
</div>
</div>


dsp_footer.cfm
-----------------------------------------
<!--- Basically Closes Off Main Body Div Tag & Enables Other Things To Display At Bottom If Needed --->
</div>

Cheers

JT
ASKER CERTIFIED SOLUTION
SidFishes

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 2 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros