1 / 27

Advanced Fusebox: Securing a Fusebox Application

Advanced Fusebox: Securing a Fusebox Application. By Steve Nelson SecretAgents.com. Securing a Fusebox Application. Understand Fusebox terminology Understand your users Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm Finally, Understand Secured SQL Statements.

porter
Download Presentation

Advanced Fusebox: Securing a Fusebox Application

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Fusebox:Securing a Fusebox Application By Steve Nelson SecretAgents.com

  2. Securing a Fusebox Application • Understand Fusebox terminology • Understand your users • Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm • Finally, Understand Secured SQL Statements

  3. 1. Fusebox Terminology • Home Application • Circuit Applications • Fusebox • Fuseactions • Fuses

  4. Home Application • This is made up of many circuit applications • Example: SecretAgents.com

  5. Circuit Applications • A section of a larger application • Example: SecretAgents.com/members

  6. The Fusebox • This controls what a user is attempting to do • The default web server template Index.cfm is the “Fusebox”

  7. Fuseactions • This is a single action that the user is attempting to perform • Allows for one or more Fuses in each Fuseaction

  8. Fuses • One of the .cfm files containing the code needed to run a Fuseaction • File naming convention: dsp_file.cfm (display) act_file.cfm (action) qry_file.cfm (query) and app_file.cfm (application)

  9. 2. Who Are Your Users? • Public Users • Registered Public Users • Registered Private Users

  10. Public Users • Any user in the world who has not identified him/herself • Examples: • Reading threads in a forum • Viewing products • Reading news articles

  11. Registered Public Users • A user whom has freely registered • These users can do certain public tasks that need to be associated with the user Examples: • Posting a thread to a forum • Purchasing products • Suggest news article

  12. Registered Private Users • These are groups of users that have been granted access to private areas of a site Examples: • Moderating a forums • Editing product data • Editing news articles

  13. 3. Fusebox Security • App_Login.cfm – When a user is attempting to login • App_Logout.cfm – When a user is attempting to Logout • App_Secure.cfm – Securing an entire Circuit Application or Fuseaction

  14. Security Database Tables • These tables can be defined by you • My Suggestion: • Three tables: Users, Groups, User_Groups

  15. App_Login.cfm • This file can be defined by you • Verify the user is who they say they are • Assign them their #Client.User_ID# • Assign them their list of Groups: #Client.User_Groups# • Return them to where they should be with <CF_RETURNFUSEACTION>

  16. App_Logout.cfm • This file can be defined by you • Reset CFID/CFTOKENS if coming from another site • Remove Client Variables • Set/Delete CFID/CFTOKEN cookies • App_Logout.cfm is commonly called in App_globals.cfm

  17. App_Secure.cfm • This file can be defined by you • Used for verifying Registered Public and Private users • If the user does not have permissions it will send them to your login form

  18. Security Variables • #Client.User_id# defines “who” the user is, needed for Registered Public and Registered Private, this needs to be set by your login script • #Client.User_Groups# contains a list of “Groups” the user belongs to, needed for Registered Private, this needs to be set by your login script • #Attributes.Groups# contains a list of groups allowed to access the area used in App_Secure.cfm

  19. How to Use App_secure.cfm • How to secure a Circuit application • How to secure a Fuseaction • How to secure an area of a Fuse

  20. Securing a Circuit Application • If every Fuseaction in a Circuit application needs to be secured, call App_Secure.cfm with CFMODULE at the top of index.cfm • Assign the necessary groups to the “groups” attribute of App_Secure.cfm

  21. Securing a Fuseaction • For each Fuseaction that needs to be secured, call App_Secure.cfm in the CFCASE statement with the necessary groups

  22. Securing an Area of a Fuse • Place a simple CFIF statement looking at the #client.user_groups# list to see if a user belongs to the appropriate group and may view the area

  23. 4. Secured SQL Statements • Even if a user belongs to a group, they should only be able to edit or delete “their” data • Associate new records (inserts) with #client.User_ID#, or other User specific variables • Verify edits/deletes with #client.User_id#, or other User specific variables

  24. User Specific Insert Statement • Associate #client.User_ID# to an Insert Statement when necessary

  25. Secured Update Statement • Verify #client.User_ID# in an Update Statement when necessary

  26. Secured Delete Statement • Verify #client.User_ID# in an Delete Statement when necessary

  27. Fusebox Makes Security Simple • The structure of Fusebox makes security simple. • Focus on securing: • Entire Circuit Applications • Individual Fuseactions • Areas of a Fuse • User specific records in the database

More Related