Implementing Application Security

Application security is implemented using three CFML tags:

• <cflogin>

• <cfloginuser>

• <cflogout>

The <cflogin> Tag

When you implement application security, your application must have code that determines whether a user is logged in and responds or takes action as necessary. Rather than check this manually, you can use the <cflogin> tag to define a block of code that is executed only if no user is logged in.

To secure applications safely, the security code must always be executed; as such, it should be placed in an Application file.

Application.cfm and Application.cfc were covered in Chapter 6, "The Application Framework."

The following snippet shows the code that would be executed based on whether a user is logged in:

 <cflogin>   Any code here will be executed only if not logged in </cflogin> Any code here will be executed for all requests  

The <cflogin> tag itself does not log users in or out; it simply marks a block of code that will be executed if no user is logged in (or if a user's login has timed out). Within <cflogin> you can place any code needed, including redirecting to login forms.

The <cfloginuser> Tag

To log a user in to the security system, use the <cfloginuser> tag. <cfloginuser> does not perform authentication; your code should do that using whatever code is necessary (<cfquery> to authenticate against a database, <cfldap> to authenticate against an LDAP server, <cfntauthenticate> to authenticate against NT domains and Active Directory, <cfinvoke> to authenticate with a component or Web Service, and so on). Once your code has determined that a user has been authenticated correctly, use the <cfloginuser> tag to pass the user information (name, password, and role) to the security framework.

The basic code flow is like this:

 <cflogin>   ... Authentication code goes here ...   ... Code to find roles goes here ...   <cfloginuser name="#FORM.login#"                password="#FORM.password#"                roles="#roles#"> </cflogin> 

It is also possible to rely on the Web server to perform the authentication, in which case the ColdFusion cflogin structure will be populated with login information automatically. The following snippet logs a user in to the application using Web server-provided information (roles will not be returned by the Web server):

 <cflogin>   ... Code to find roles goes here ...   <cfloginuser name="#CFLOGIN.name#"                password="#CFLOGIN.password#"                roles="#roles#"> </cflogin> 

NOTE

To force the Web server to generate a login dialog (so that you do not have to create one manually), use the following code:

 <cfsetting enablecfoutputonly="yes"            showdebugoutput="no"> <cfheader statuscode="401"> <cfheader name="WWW-Authenticate"           value="Basic realm=""MyRealm"""> <cfoutput>Authorization failed</cfoutput> 

Replace the realm name with one of your own, and customize the failure message if needed.

ColdFusion detects the presence of two special form fields, j_username and j_password. If these are present (the names used in your own login form), ColdFusion will use them automatically and will populate CFLOGIN with them.

Once a user has been logged in, you can use <cffunction> and IsUserInRole() to implement access control as described below.

The <cflogout> Tag

User logins time out automatically. To force an immediate logout (perhaps in response to a user clicking a Logout option), use the <cflogout> tag.