Highlighted

Is cfNTauthenticate a safe method for log-in ?

Community Beginner ,
Feb 12, 2020

Copy link to clipboard

Copied

I have a Coldfusion application running (entirely written by other people, but that I'm kind of managing now) that uses the cfNTauthenticate tag for users to log-in, but now I have been asked to make sure that using this is safe.

 

I have read the official documentation of cfNTauthenticate, but it doesn't explain explicitly how the user name and password are authenticated against the NT domain.

I am rather new to Coldfusion and not an expert of Windows so I might not be understanding some things in the documentation, but it really doesn't seem to mention this.

 

The main question is, are the user name and password sent in clear to the Windows NT domain, or is it encrypted ?

 

If any of you have some information about this, that would be very interesting for me.

Adobe Community Professional
Correct answer by BKBK | Adobe Community Professional

Yes, using cfNTAuthenticate is safe. In fact the question, "are the user name and password sent in clear to the Windows NT domain, or is it encrypted?" is irrelevant. That is because the credentials are not sent, as you would from browser through HTTP to ColdFusion. Instead, cfNTAuthenticate integrates ColdFusion (as a user) directly with the security of the Windows Operating system.

 

However, you should take the usual precautions:

 

1) Use HTTPS for your ColdFusion site;

2) Ensure that client login credentials are sent to ColdFusion by the POST, rather than the GET, method;

3) Ensure that, in your Windows domain, ColdFusion runs as a user with the minimum rights needed to authenticate other users.

TOPICS
Documentation, Security, Server administration

Views

618

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Is cfNTauthenticate a safe method for log-in ?

Community Beginner ,
Feb 12, 2020

Copy link to clipboard

Copied

I have a Coldfusion application running (entirely written by other people, but that I'm kind of managing now) that uses the cfNTauthenticate tag for users to log-in, but now I have been asked to make sure that using this is safe.

 

I have read the official documentation of cfNTauthenticate, but it doesn't explain explicitly how the user name and password are authenticated against the NT domain.

I am rather new to Coldfusion and not an expert of Windows so I might not be understanding some things in the documentation, but it really doesn't seem to mention this.

 

The main question is, are the user name and password sent in clear to the Windows NT domain, or is it encrypted ?

 

If any of you have some information about this, that would be very interesting for me.

Adobe Community Professional
Correct answer by BKBK | Adobe Community Professional

Yes, using cfNTAuthenticate is safe. In fact the question, "are the user name and password sent in clear to the Windows NT domain, or is it encrypted?" is irrelevant. That is because the credentials are not sent, as you would from browser through HTTP to ColdFusion. Instead, cfNTAuthenticate integrates ColdFusion (as a user) directly with the security of the Windows Operating system.

 

However, you should take the usual precautions:

 

1) Use HTTPS for your ColdFusion site;

2) Ensure that client login credentials are sent to ColdFusion by the POST, rather than the GET, method;

3) Ensure that, in your Windows domain, ColdFusion runs as a user with the minimum rights needed to authenticate other users.

TOPICS
Documentation, Security, Server administration

Views

619

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Feb 12, 2020 0
Adobe Community Professional ,
Feb 16, 2020

Copy link to clipboard

Copied

Yes, using cfNTAuthenticate is safe. In fact the question, "are the user name and password sent in clear to the Windows NT domain, or is it encrypted?" is irrelevant. That is because the credentials are not sent, as you would from browser through HTTP to ColdFusion. Instead, cfNTAuthenticate integrates ColdFusion (as a user) directly with the security of the Windows Operating system.

 

However, you should take the usual precautions:

 

1) Use HTTPS for your ColdFusion site;

2) Ensure that client login credentials are sent to ColdFusion by the POST, rather than the GET, method;

3) Ensure that, in your Windows domain, ColdFusion runs as a user with the minimum rights needed to authenticate other users.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 16, 2020 2
amaury.1 LATEST
Community Beginner ,
Feb 24, 2020

Copy link to clipboard

Copied

Very well, thank you for your precisions, it was really important for me to understand for me to understand that, and you have helped good for this !

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 24, 2020 0