Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at cf.Objective() 2009 (Minneapolis, MN) with:

XStandard Web Services And ColdFusion Security

By Ben Nadel on

I was having a bit of trouble with security at one point while implementing the ColdFusion web services of XStandard. XStandard calls ColdFusion (.cfm) pages for my version of the web services. Below are some examples of the web service URLs:

  • <!--- Attachment library. --->
  • <param
  • name="AttachmentLibraryURL"
  • value="#strXSDirectory#xs_attachment_library.cfm"
  • />
  •  
  • <!--- Image library. --->
  • <param
  • name="ImageLibraryURL"
  • value="#strXSDirectory#xs_image_library.cfm"
  • />

Since these go through .cfm pages, they are subject to the same security as any other page of my content management system (CMS). This is good for me, bad for XStandard. See, when XStandard calls the web service, it doesn't use the browser's current session (at least not in FireFox... I think it might in IE). To get around this, I updated my security settings to allow anonymous access to files starting with "xs_" which stands for XStandard (ie. I am not checking permissions on file access when the file name beings with "xs_").

This never made me feel good as it opened up holes in my security. I didn't think much harm could come of it, but still, not a good practice. Then the other day, it hit me like a lightening bolt!! Why not force XStandard to send the session information with the web service calls?

Think about the CFLocation tag. One of the attributes is "AddToken". The reason for this is that if you send the CFID and the CFTOKEN in a URL, the ColdFusion server will use this session information for the resultant page call. Moving this idea over to the XStandard web service calls, we get:

  • <!--- Attachment library. --->
  • <param
  • name="AttachmentLibraryURL"
  • value="#strXSDirectory#xs_attachment_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
  • />
  •  
  • <!--- Image library. --->
  • <param
  • name="ImageLibraryURL"
  • value="#strXSDirectory#xs_image_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
  • />

I am now forcing XStandard to send the current user's session information into the web service calls. Not only does this allow me to remove my security hole (because the web service pages now integrate with the user security), it allows the web services to take information from the user's session information (if it needs to) thereby, more fully integrating with the ColdFusion application.



Reader Comments

Post A Comment

You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.