bpurcell.org - Securing ColdFusion Applications Presentation download
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Subject Archives
Amazon EC2 (15)
ColdFusionMX (155)
Corvette (3)
Flash Lite (4)
Flash Media Server (5)
Flash Player (3)
Flex (39)
General Web Dev (14)
HDTV (3)
Jboss (1)
Jquery (2)
JRun (59)
Max 2003 (3)
Other (33)
PC Hardware (16)
Software (17)
SpatialKey (7)
Wireless (8)
Working Out (1)

RSS Feed
Feed Listing

Site Contents
My Blog
Wireless & Networking
Hardware & Gadgets
Software Picks
Contact Me

My Articles & Papers
Flex Performance
mm.com Under the Hood
Multiple Instances of CFMX
Multiple Instance Config
NLB with ColdFusion
Clustering CFMX for J2EE
Multi-Tier Hardware LB w CFMX
Cisco CSS & Coldfusion MX
JRun 4 Jini based Clustering
WiFi Growth

2ID Tacweb

Other Hobbys
Body-For-Life Challenge

Personal Projects
Family Pool
Deck Gate


Viewing Individual Entry / Main
March 26, 2004

I have had a lot of requests to put this presentation on my site for download. This is the presentation that I gave at Max 2003, Japan Max 2004, User Group Manager meeting, and the Boston ColdFusion UserGroup.  The presentation cover the steps to secure your ColdFusion Application either through a webserver or programatically. Whether it's authentication, authorization, access control, or roles, security is an important and complex topic. Implementing runtime security and access control involves understanding all of the above and more. Using databases, LDAP, Web server, and many other approaches you will learn how to leverage the ColdFusion MX security framework to greatly simplify securing your applications. This is a great start for using CFLOGIN with ColdFusion with an overview of the tags and functions; CFLOGIN, CFLOGINUSER, CFLOGOUT, getAuthUser(), and isUserInRole().

The slides for the presentation can be downloaded here

The code for the presentation can be downloaded here


Awesome! Thank you very much.

Just a quick question about the DB structure used in your example. Why use three tables for user, roles and userroles data?

Matthew, the three tables are needed all users are stored in the user table and all roles in the roles table. The userroles table forms a many-to-many relationship between the two tables. Meaning, one user can have multiple roles, and a role can have multiple users.

Ahhh! I see it now. Of course, I should have seen the need for the intermediate table in the way you have worked this. Thenks for the enlightenment. Cheers Matt


Great work on your site. I have a question concerning logging out. When a user clicks the logout button they are presented with the login screen asking to login once again. Easy enough. But if a user clicks the back button, they are returned to the previous screen and they would able to view the screen as though still logged in.

I have googled to myself to death and there are many people with the same problem. I'm not sure how to overcome this problem. If you have any suggestions or references that would be tremendous.


The problem is that the view is still cached in the users browser so when they click back they view the screen as though they were logged in. The only way around this is to make sure that the page expires and the user cannot click back.

There are several ways to do this and you can use a combination of the approaches to make sure they work across all browsers

Set a meta tag for content expiration <meta http-equiv="expires" content="Mon, 06 Jan 1990 00:00:01 GMT">

You can also use CFHEADER to send a header to the browser forcing it not to cache the data <cfheader name="expires" value="#now()#"> <cfheader name="pragma" value="no-cache"> <cfheader name="cache-control" value="no-cache, no-store, must-revalidate">

see also: http://www.web-caching.com/mnot_tutorial/how.html


Since we hardly know each other I cannot say that I love you but thanks a million!

I had tried the first two <cfheader> examples that you have in your last paragraph but not the third. When I added the third it worked for other browsers besides IE. (IE was working before with no problem.)

Once again thanks.


Hi. I have a question about security. I am developing a new version of our company intranet using coldfusion and have set up an authentication system using the cflogin tags etc. This works fine and i can log in and out of the "security application" for controlling user access. It was my intention to use the "roles" feature to control which cf applications a user was allowed to use (these being controlled by individual application.cfm files in each application directory). However now i have tried to build the first proper user oriented app and find that the roles function only seems to be available to my initial security app. i.e. the personel directory app cannot tell that a user is logged in and so will not allow access to the component. Is there any way to make the roles available to every app (on a single server and single domain) so that once a user logs in they can gain access to any app they have access to without having to log in repeatedly, or will that only work if the whole site is treated as an individual application? Hope that made sense....? Any help would be very much appreciated here

We are having an ususal issue with the cflogin/getAuthUser(). After a user is logged in and sent to the correct page (there are three different entry pages based on the login), and they click on any button/link they are automatically logged out. They can log back in and the application behaves properly. The other issue is that this is not consistent. I seem to be able to reproduce it by letting the system sit idle for a period of time. The biggest problem is when users are logging in at the start of the day and continually being logged out.

Any ideas?

Thank you for any help on this, Michelle Courier

I havenĀ“t posted here before, just read ur great blog since a couple of months.

I was wondering if i can secure some cf ap and others not in a same root.

The reason is simple. I want to some people access a the common area, the "no login needed area", but admins access to the same area plus showing the code specially designed for they.

I've asked this question before and didn't get an answer and we are still having this issue. Here is the problem and some additional information:

We are having a very frustrating issue. When the user logs into the system they are taken to the correct page (one of three pages depending on their login), when they click on any link/button they are automatically logged out. When they log back in the system behaves perfectly.

The issue seems to be the loss of a session variable. The variable exists after the login and at the display of the proper page, however it is lost at the click on the link. The check on the application.cfm page for this variable logs them out. We can not figure out how or why this data could be lost.

One other point is that this is not reproducible every time.

Things to note during the process of debugging this issue, we've tried tracing the session variable in question, and there doesn't appear to be any code that modifies this variable once it's set at login. We also have clientmangement disabled and sessionmanagement enabled for this application. Additionally we have configured cflogin to only store it's authentication variables in session, and not in cookies.

Our environment is CFMX 6.1 on Linux, using Postgres for DB.

Thanks for any help one can provide.

For gen.arg's question. All of the apps will need to share the same CFLOGIN code. You will not want to force all users to a login page since you want to have some of the content unprotected. Include a page on all areas you want to protect with a snippet of code that checks isUserInRole("Admin") if they are not logged in they will not be in the role and this will return false. Then direct them to the login page.

By using isUserInRole() you can display specific content for users you want to see it. Just don't force them to login in the Application.cfm, have the login form be a link then when the form gets filled out and posted the CFLOGIN code in Application.cfm will do its work.

If this is really a challenge I can probably work up an example and post it. I am just short on time right now working on Flex. Let me know.

Michelle, It is hard to say what is happening in your case. Try switching to Cookie based and see if it occurs. Do all the pages share the same Application.cfm?

One thing that I found that causes this problem is browser caching. They are not getting a fresh version of the page and seeing cached content.

Try adding the following: <cfheader name="expires" value="#now()#"> <cfheader name="pragma" value="no-cache"> <cfheader name="cache-control" value="no-cache, no-store, must-revalidate">

I will try it later, im developing a application for my dads shop, from scratch, and is taking time to make it 100% functional.

Security is a very importan topic, but atm, is not the priority.

The lack of help to developers and examples from macromedia is very disturbing.

I have finded apps or usefull code to use on cf. This one is the most usefull i have finded.

Very uppset. :(

sorry for the typos... i wanted to say "i havent finded apps".


Cant edit the post... bah.

Brandon, what do you do about someone who leaves the login form blank and submits? I can use JavaScript to try and block, but if they have JS turned off, they can still login. I tried trapping for the lack of a username in the Application.cfm but that does not seem to work.


I've searched the forums and the internet in general and can't find out what I should be looking at.

We have a clustered environment (2 IIS/CF6.0/JRun servers with a load balancer taking requests on port 888 and directing them to one of the aforementioned servers).

The application that is set up on both machines works fine no matter which machine you first. However the problem occurs when TIMING OUT.

We have setDomainCookies=yes, sessionmanagement=yes, clientmanagement=yes, setclientcookies=yes and a session timeout.

We have a cflogin tag at which point had every combination of idletimeout, applicationtoken set to the application name in the cfapplication tag and cookiedomain set to ".emscharts.com".

When the timeout occurs (correctly at 5minutes), whatever server you hit when relogging in accepts the information and sets whatever coldfusion does with the cflogin structure/cookie. However if you hit the other server it re-executes the code in the cflogin tag and since no login information is being submitted makes it appear you timed out again.

My question is why doesn't the other server recognize the cflogin tag shouldn't be executed because the other server just "logged" in?

Thanks for all your help!

Great thanks a bunch Brandon, this is exactly the information I've been looking for.

Ignore my post we have since got it working and discovered how cflogin tag actually works.

It appears there is a small problem with your ntsecurity.cfc

I have a user who is a member in 42 different groups..... When trying to authenticate and get user groups an empty string is returned, If I remove her from 7 groups leaving her in 36 groups the user groups are returned.

What's up with that?

I am trying to use the isUserInRole() method to check and see if a user is in multiple roles. example: isUserInRole("Admin,Editor") This does not work, is there a bug or am I doing this wrong?

Hi ther all

This is great, I like to thank all the people who makes this possible.

I got a question:




At last code that works and I understand it, thanks you so much.

To fit my needs through, I would like it to do one more thing... Check the database against a field call learnersADT which hold a date, if this date is more than 45 day older that now that go to a page outside the protected folder.

Can anyone help on this please? John

Page Render Time:219