Skip to main content
S
SEJ-69
Participant
May 23, 2008
Question

Protecting remote CFCs from unauthorized access

  • May 23, 2008
  • 3 replies
  • 938 views
Now that I'm working with Flex I've discovered that I no longer have session variables to maintain access to a site. How do I protect my Coldfusion CFC's from unauthorized access?

I'm working on a site that requires user authentication. While the actual user authentication in flex is easy, this doesn't protect my Coldfusion CFCs from someone that knows how to hook up directly to my site which would bypass the interface security.

I'm also coding an Adobe Air application to go along with the website.

TIA.
This topic has been closed for replies.

3 replies

S
samunplugged
Participating Frequently
June 5, 2008
One of my task involved publishing a secured web service to be consumed by any client/platform. Best and secured way, and you'll agree that this is what Amazon and Google use as well, is that you assign every client an application-id and security-key.

And here's how client should make requests:
1. SoapHeaders or HTTP_Cookie is sent with every request. Information it will contain is an encryted text (token) and client id.
Header or cookie will appear something like this: applicationid=3456&token=wJDKD93o34%^&*$2de4390
2. Encrytion is done by the client using the security-key provided by the server. Text which is encrypted must contain datetime. Example normal text could be: myMethod\20080612
3. The security-key itself is never transferred over the network
4. At the server side, the token header value is decrypted using the key for that applicationid (pick it up from the server.)
5. Server checks, after decryption of token, that the datetime is in proper format and methodName is same as the method called. And if this is true, client is authenticated.


In simple words, go on encryting any client variable before sending to the server. If server can decrypt it and finds expected string, respond or else throw security error.

Why you must also allow access using HTTP_COOKIE? You dont want to write your own WSDL files. ColdFusion can not generate a WSDL which can tell consumers what SoapHeaders your service is expecting. Not allowing cookies based authentication will eventually lead to a situation where .NET developers wont be able to consume your service. Its impossible for most .NET pros to write a code to send custom soap headers - there is so much dependency on VS Studio web service code stubs.

Sam
Adobe Certified Flash and Adv. ColdFusion Developer
http://www.samunplugged.com
mumbai users, join other mumbai cf enthsiasts: http://in.groups.yahoo.com/group/cfexpress/
N
Newsgroup_User
Inspiring
June 3, 2008
Have you investigated the CFC username/password properties?

Have you investigated session use with flex applications? I understand
they are still possible, just not as intuitive as with an HTML application.
E
Etienne
Participating Frequently
June 3, 2008
That's a good question...

Anyone has an awnser ?

Etienne
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices