CFSCHEDULE username and password?

Report · May 07, 2006

I've created a scheduled template that annoyingly runs within a cfapplication regardless of session status (how can this be, is the server exempt from cfapplication authentication?)... so I need to secure it with a usernname and password. Nowhere in Macromedia's documentation does it describe HOW to use the username and password from the cfadmin portal! I tried passing via the URL with no luck. I tried passing via the text inputs in the cfadmin portal, no luck (what the variable names be in this case - TERRIBLE documentation as usual).

So just how the heck are we supposed to use this feature? Has anyone figured out how to secure a scheduled template?

Thanks!

Report · May 07, 2006

I secure my cfschedule templates the simplest way possible; I give them a name that also serves as a unique ID. For example, copyOrder7C9EA38B726AE459D0.cfm

Report · May 07, 2006

My scheduled task pages are all password and SSL secured and they work fine.

The trick is that your page must use a username password scheme that CF recognizes and you must provide the username and password to the scheduler via the CF administrator (or with the <cfschedule> tag).

Recognized authentication methods include web, "BASIC authentication" and login forms that use the magic input names of "j_username" and "j_password".

Report · May 07, 2006

AHA, now we're getting somewhere. Can you give me an example of how you are accepting/processing the username and password from the cfadmin portal on your scheduled template?

Thank you.

Report · May 07, 2006

I've attached some sample code to illustrate why I'm getting confused.

Here is the sample template scheduled to run (quickest way to test):

<CFIF #j_username# EQ "xxx" AND #j_password# EQ "yyy">
<CFMAIL TO="xxx@yyy.com"
FROM="yyy@zzz.com"
SUBJECT="SCHEDULED TASK COMPLETED"
SERVER="xxx.com"
TYPE="HTML"
>
A SCHEDULED TASK HAS BEEN COMPLETED.
</CFMAIL>
<CFELSE>
<CFMAIL TO="xxx@yyy.com"
FROM="yyy@zzz.com"
SUBJECT="SCHEDULED TASK COMPLETED"
SERVER="xxx.com"
TYPE="HTML"
>
THIS SHOULD NOT BE RECEIVED - BAD USERNAME/PASSWORD.
</CFMAIL>
</CFIF>

From the CF Administrator, I have the job set to run with username/password corresponsing to the template's challenge. Regardless of what I pass, the authentication fails and I get the wrong email. I tried passing the parameters via the URL in the scheduler tool, same result.

Doing a google on j_username as you suggested spits out cflogin info... would I need to use a cflogin challenge to properly do this? I've never used the tag before and what I've seen the documentation is not for newbies, can't make sense of just how to use it.

Thanks again!

Report · May 07, 2006

Abosulutely no password handling is done in the scheduled template.
It is merely in a tree that is protected by a standard Application.cfc and <cflogin> setup.

The <cflogin> code displays a login form as needed. Since it uses the magic form names, cfscheduler knows how to log in.

Snippets attached. See "Securing applications" and cflogin in the docs. And, Consult the WACK by Ben Forta for more info.

Report · May 07, 2006

hmm... I'm using a basic session.allowin db check against form username/password at present in cfapplication. In order to get the cfscheduler to work with a username/password, I'll have to update the cfapplication to use cflogin instead? I'm glad you mentioned that there is no password handling done in the scheduled template - just tried that a different way for the 100th time. I will try updating our cfapplication template to use cflogin instead of our current solution - I imagine this will make the app much more secure as well?

Just to be 100% sure, in your ELSE where you check the username/password, is that where you query the db against the j_username and j_password? Using this tag, are there any session variables that must be manually set upon a successful authentication to keep the session active, or does cflogin handle that automatically?

what I forgot to add was - for logging out, is there a tag to kill the session, as I no longer will have a session.allowin variable using this method.

Many thanks,

Scott.

Report · May 07, 2006

quote:

Originally posted by: nicksaredumbhmm... I'm using a basic session.allowin db check against form username/password at present in cfapplication. In order to get the cfscheduler to work with a username/password, I'll have to update the cfapplication to use cflogin instead? I'm glad you mentioned that there is no password handling done in the scheduled template - just tried that a different way for the 100th time. I will try updating our cfapplication template to use cflogin instead of our current solution - I imagine this will make the app much more secure as well?

Just to be 100% sure, in your ELSE where you check the username/password, is that where you query the db against the j_username and j_password? Using this tag, are there any session variables that must be manually set upon a successful authentication to keep the session active, or does cflogin handle that automatically?

what I forgot to add was - for logging out, is there a tag to kill the session, as I no longer will have a session.allowin variable using this method.

Many thanks,

Scott.

Yes, using cflogin is usually more secure.

In the else area, you do not check the DB against the j_ variables. You check against the special variables cflogin.name and cflogin.password -- which CF automatically generates from login types that it recognizes.

Add the attached code just after your DB check against username and password. (Note that in our framework, the login form is in its own template.)

Use <cflogout> to logout.