Questions about ColdFusion 8 and IIS 6

Report · Nov 12, 2009

Hello, I have been using Coldfusion now for over a year and I find it a quick and powerful tool to help me develop some pretty cool stuff realy quickly. My bosses want to take than applicaiton we have designed with Coldfusion 8 and add 2 other applications into it that have been developed 1 in asp and the other in asp.net. Right now, our solution was basically setting up the Coldfusion app as the main site with the other 2 sites sitting in iframes embedded in a cfm file.

Now, the users have to login to view the site, using a database query check for the login. Now, i have set up the application.cfm to block direct access to sub-directories by checking the CGI.script_name to see if certain directories are trying to be directly accessed and if they are, the user is redirected to the login screen. And for some directories I have taken it a step further and added a check to session variables as well and if any of the session variables are blank or Null, it again redirects the user to the login page, when they try and access these particualr directories.

Now, the 2 toher applications exist in IIS as virtual directories for the main coldfusion site, and if someone tries and accesses the directory with the cfm page with the embedded iframes, they get kicked to the login screen. However, the url is written out in teh source attribute of the iframe and someone can grab it and access those site by grabbing the src url. I have mentioned that since the other 2 programs need to access the session variables and the session time stamp to prevent a session timeout, that they should run a similar check for session variables and even a check to see if their site is being run in an iframe and if not, kick them to the login.

The asp.net gusy don't like that idea and say that IIS should handle this and that their has to be a way to shut down the sub-directories through an ISAPI filter. And i have yet to find a possilbe solution. Can anyone help? I am using coldFusion 8 and IIS 6 on a windows server 2003.

I thought maybe changing the virtual directories directroy security from enable anonymous access to integrated windows authntication and then adding a <cfntauthenticate> tag to the application.cfm might allow coldfusion to have access to those sub directories throught he embbeded cfm file, but i still get hit with login when trying to access them from the cfm.

again i know this is crazy request but if anyone can help me, thank you so much in advance.

Report · Nov 12, 2009

I'm afraid I agree with the ASP guys.

The security you are talking about is a web server level task. IIS has many ways to restrict content either by user or by IP or some other combonation.

The advantage of using IIS is that it protects all request, CFML, ASP, ASPX, GIF, JPG, CSS and JS to name a few.

The ColdFusion solution you have described only protects CFML and the other ColdFusion extensions.

Since it sounds like you are leaning towards user based security, when windows integrated security is enables, you can read the logged in user in your CFML by looking at the cgi.auth_user environment variable. This can make it easy to add other functionality based on the logged in user in your ColdFusion code.

If you do not care about that, you can just lock down directories with OS security combined with windows integrated security.

Report · Nov 19, 2009

Thanks ianskinner.

We have gone ahead with the microsoft .NET memmbership API and are modifing it to work with our current application framework.