User Guide
Table Of Contents
- Contents
- The CFML Programming Language
- Elements of CFML
- Using ColdFusion Variables
- Using Expressions and Number Signs
- Using Arrays and Structures
- Contents
- About arrays
- Basic array techniques
- Populating arrays with data
- Array functions
- About structures
- Creating and using structures
- Structure examples
- Structure functions
- Extending ColdFusion Pages with CFML Scripting
- Using Regular Expressions in Functions
- Building Blocks of ColdFusion Applications
- Creating ColdFusion Elements
- Writing and Calling User-Defined Functions
- Contents
- About user-defined functions
- Creating user-defined functions
- Calling user-defined functions
- Working with arguments and variables in functions
- Handling errors in UDFs
- A user-defined function example
- Using UDFs effectively
- Building and Using ColdFusion Components
- Contents
- About ColdFusion components
- Creating ColdFusion components
- Using ColdFusion components
- Passing parameters to methods
- CFC variables and scope
- Using CFCs effectively
- ColdFusion component example
- Creating and Using Custom CFML Tags
- Building Custom CFXAPI Tags
- Developing CFML Applications
- Designing and Optimizing a ColdFusion Application
- Contents
- About applications
- Elements of a ColdFusion application
- Structuring an application
- Defining the application and its event handlers in Application.cfc
- Migrating from Application.cfm to Application.cfc
- Using an Application.cfm page
- Optimizing ColdFusion applications
- Handling Errors
- Contents
- About error handling in ColdFusion
- Understanding errors
- Error messages and the standard error format
- Determining error-handling strategies
- Specifying custom error messages with the cferror tag
- Logging errors with the cflog tag
- Handling runtime exceptions with ColdFusion tags
- Using Persistent Data and Locking
- Contents
- About persistent scope variables
- Managing the client state
- Configuring and using client variables
- Configuring and using session variables
- Configuring and using application variables
- Using server variables
- Locking code with cflock
- Examples of cflock
- Securing Applications
- Contents
- ColdFusion security features
- About resource and sandbox security
- About user security
- Using ColdFusion security tags and functions
- Security scenarios
- Implementing user security
- Developing Globalized Applications
- Debugging and Troubleshooting Applications
- Contents
- Configuring debugging in the ColdFusion MX Administrator
- Using debugging information from browser pages
- Controlling debugging information in CFML
- Using the cftrace tag to trace execution
- Using the cftimer tag to time blocks of code
- Using the Code Compatibility Analyzer
- Troubleshooting common problems
- Designing and Optimizing a ColdFusion Application
- Accessing and Using Data
- Introduction to Databases and SQL
- Accessing and Retrieving Data
- Updating Your Database
- Using Query of Queries
- Contents
- About record sets
- About Query of Queries
- Query of Queries user guide
- Using dot notation
- Using joins
- Using unions
- Using conditional operators
- Managing data types for columns
- Using the CAST function
- Using aggregate functions
- Using group by and having expressions
- Using ORDER BY clauses
- Using aliases
- Handling null values
- Concatenating strings
- Escaping reserved keywords
- Using Queries of Queries with dates
- Understanding Query of Queries performance
- Understanding Query of Queries processing
- Managing LDAP Directories
- Building a Search Interface
- Contents
- About Verity
- Creating a search tool for ColdFusion applications
- Creating a search page
- Enhancing search results
- Working with data returned from a query
- Using Verity Search Expressions
- Requesting and Presenting Information
- Introduction to Retrieving and Formatting Data
- Building Dynamic Forms with cfform Tags
- Validating Data
- Contents
- About ColdFusion MX validation
- Validating form fields
- Handling invalid data
- Masking form input values
- Validating form data with regular expressions
- Validating form data using hidden fields
- Validating form input and handling errors with JavaScript
- Validating data with the IsValid function and the cfparam tag
- Creating Forms in Macromedia Flash
- Creating Skinnable XML Forms
- Creating Charts and Graphs
- Creating Reports for Printing
- Contents
- About printable output
- Creating PDF and FlashPaper output with the cfdocument tag
- Creating reports with the ColdFusion MX 7 reporting
- Reporting features
- Reporting architecture
- Getting started
- Basic steps for creating reports
- Report definition guidelines
- Common reporting tasks and techniques
- Grouping and group breaks
- Defining, modifying, and using fields and input parameters
- Using toolbox elements on report bands
- Aligning elements
- Using text styles
- Previewing reports
- Displaying page numbers
- Using layered controls
- Using links
- Using the Properties sheet
- Displaying reports
- Using input parameters to pass variables and other data at runtime
- Configuring RDS
- Using the Report Creation Wizard
- Using the Query Builder
- Using CFML in reports
- Using charts
- Using subreports
- Font management with printable reports
- Creating reports with Crystal Reports (Windows only)
- Using the Flash Remoting Service
- Using Server-Side ActionScript
- Contents
- About server-side ActionScript
- Connecting to the Flash Remoting service
- Using server-side ActionScript functions
- Global and request scope objects
- About the CF.query function and data sources
- Using the CF.query function
- Building a simple application
- About the CF.http function
- Using the CF.http function
- Using Web Elements and External Objects
- Using XML and WDDX
- Contents
- About XML and ColdFusion
- The XML document object
- ColdFusion XML tag and functions
- Using an XML object
- Creating and saving an XML document object
- Modifying a ColdFusion XML object
- Validating XML documents
- Transforming documents with XSLT
- Extracting data with XPath
- Example: using XML in a ColdFusion application
- Moving complex data across the web with WDDX
- Using WDDX
- Using Web Services
- Contents
- Web services
- Working with WSDL files
- Consuming web services
- About the examples in this section
- Passing parameters to a web service
- Handling return values from a web service
- Using cfinvoke to consume a web service
- Using CFScript to consume a web service
- Consuming web services that are not generated by Macromedia ColdFusion MX
- Calling web services from a Macromedia Flash client
- Catching errors when consuming web services
- Handling inout and out parameters
- Configuring web services in the ColdFusion MX Administrator
- Data conversions between ColdFusion and WSDL data types
- Consuming ColdFusion web services
- Publishing web services
- Using request and response headers
- Handling complex data types
- Troubleshooting SOAP requests and responses
- Integrating J2EE and Java Elements in CFML Applications
- Integrating COM and CORBA Objects in CFML Applications
- Contents
- About COM and CORBA
- Creating and using objects
- Getting started with COM and DCOM
- Creating and using COM objects
- Getting started with CORBA
- Creating and using CORBA objects
- CORBA example
- Using XML and WDDX
- Using External Resources
- Sending and Receiving E-Mail
- Interacting with Remote Servers
- Managing Files on the Server
- Using Event Gateways
- Contents
- About event gateways
- Event gateway facilities and tools
- Structure of an event gateway application
- Configuring an event gateway instance
- Developing an event gateway application
- Deploying event gateways and applications
- Using the CFML event gateway for asynchronous CFCs
- Using the example event gateways and gateway applications
- Using the Instant Messaging Event Gateways
- Using the SMS Event Gateway
- Creating Custom Event Gateways
- Index
386 Chapter 16: Securing Applications
Logging a user out by using the cflogout tag does not close the user’s session, but if you use
session login storage, it does remove the login information (the Session.cfauthorization variable)
from the Session scope. For more information on ending sessions, see “Ending a session”
on page 356.
Caution: If you use web server–based authentication or any form authentication that uses a Basic
HTTP Authorization header, the browser continues to send the authentication information to your
application until the user closes the browser, or in some cases, all open browser windows. As a result,
after the user logs out and your application uses the
cflogout tag, until the browser closes, the cflogin
structure in the
cflogin tag will contain the logged-out user’s UserID and password. If a user logs out
and does not close the browser, another user might access pages with the first user’s login.
Security scenarios
The following sections provide two detailed security scenarios. The first scenario uses the web
server to perform the authentication against its user and password database. The second scenario
uses ColdFusion for all authentication and authorization.
A web server authentication security scenario
An application that uses web server authentication might work as follows. The example in “Web
server–based authentication user security example” on page 391 implements this scenario.
1.
When the user requests a page from a particular directory on the server for the first time after
starting the browser, the web server displays a login page and logs in the user. The web server
handles all user authentication.
2.
Because the user requested a ColdFusion page, the web server hands the request to ColdFusion.
3.
When ColdFusion receives a request for a ColdFusion page, it instantiates the Application.cfc
and runs
onRequestStart method. If you use an Application.cfm page in place of the
Application.cfc, it runs the contents of the Application.cfm page before it runs the requested
page. The
onRequestStart method or Application.cfm page contains a cflogin tag.
ColdFusion executes the
cflogin tag body if the user is not logged into ColdFusion. The user
is logged in if the
cfloginuser tag has run successfully for this application and the user has not
been logged out.
4.
Code in the cflogin tag body uses the user ID and password from the browser login, contained
in the cflogin.name and cflogin.password variables, as follows. (With Digest or NTLM web
server authentication, the cflogin.password variable is the empty string.)
a
It checks the user’s name against information it maintains about users and roles. In a simple
case, the application might have two roles, one for users and one for administrators. The
CFML assigns the Admin role to any user logged on with the user ID Admin and assigns the
User role to all other users.
b
It calls the cfloginuser tag with the user’s ID, password, and roles, to identify the user to
ColdFusion.
5.
Application.cfc or the Application.cfm page completes processing, and ColdFusion processes
the requested application page.