270 likes | 386 Vues
Advanced Fusebox: Securing a Fusebox Application. By Steve Nelson SecretAgents.com. Securing a Fusebox Application. Understand Fusebox terminology Understand your users Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm Finally, Understand Secured SQL Statements.
E N D
Advanced Fusebox:Securing a Fusebox Application By Steve Nelson SecretAgents.com
Securing a Fusebox Application • Understand Fusebox terminology • Understand your users • Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm • Finally, Understand Secured SQL Statements
1. Fusebox Terminology • Home Application • Circuit Applications • Fusebox • Fuseactions • Fuses
Home Application • This is made up of many circuit applications • Example: SecretAgents.com
Circuit Applications • A section of a larger application • Example: SecretAgents.com/members
The Fusebox • This controls what a user is attempting to do • The default web server template Index.cfm is the “Fusebox”
Fuseactions • This is a single action that the user is attempting to perform • Allows for one or more Fuses in each Fuseaction
Fuses • One of the .cfm files containing the code needed to run a Fuseaction • File naming convention: dsp_file.cfm (display) act_file.cfm (action) qry_file.cfm (query) and app_file.cfm (application)
2. Who Are Your Users? • Public Users • Registered Public Users • Registered Private Users
Public Users • Any user in the world who has not identified him/herself • Examples: • Reading threads in a forum • Viewing products • Reading news articles
Registered Public Users • A user whom has freely registered • These users can do certain public tasks that need to be associated with the user Examples: • Posting a thread to a forum • Purchasing products • Suggest news article
Registered Private Users • These are groups of users that have been granted access to private areas of a site Examples: • Moderating a forums • Editing product data • Editing news articles
3. Fusebox Security • App_Login.cfm – When a user is attempting to login • App_Logout.cfm – When a user is attempting to Logout • App_Secure.cfm – Securing an entire Circuit Application or Fuseaction
Security Database Tables • These tables can be defined by you • My Suggestion: • Three tables: Users, Groups, User_Groups
App_Login.cfm • This file can be defined by you • Verify the user is who they say they are • Assign them their #Client.User_ID# • Assign them their list of Groups: #Client.User_Groups# • Return them to where they should be with <CF_RETURNFUSEACTION>
App_Logout.cfm • This file can be defined by you • Reset CFID/CFTOKENS if coming from another site • Remove Client Variables • Set/Delete CFID/CFTOKEN cookies • App_Logout.cfm is commonly called in App_globals.cfm
App_Secure.cfm • This file can be defined by you • Used for verifying Registered Public and Private users • If the user does not have permissions it will send them to your login form
Security Variables • #Client.User_id# defines “who” the user is, needed for Registered Public and Registered Private, this needs to be set by your login script • #Client.User_Groups# contains a list of “Groups” the user belongs to, needed for Registered Private, this needs to be set by your login script • #Attributes.Groups# contains a list of groups allowed to access the area used in App_Secure.cfm
How to Use App_secure.cfm • How to secure a Circuit application • How to secure a Fuseaction • How to secure an area of a Fuse
Securing a Circuit Application • If every Fuseaction in a Circuit application needs to be secured, call App_Secure.cfm with CFMODULE at the top of index.cfm • Assign the necessary groups to the “groups” attribute of App_Secure.cfm
Securing a Fuseaction • For each Fuseaction that needs to be secured, call App_Secure.cfm in the CFCASE statement with the necessary groups
Securing an Area of a Fuse • Place a simple CFIF statement looking at the #client.user_groups# list to see if a user belongs to the appropriate group and may view the area
4. Secured SQL Statements • Even if a user belongs to a group, they should only be able to edit or delete “their” data • Associate new records (inserts) with #client.User_ID#, or other User specific variables • Verify edits/deletes with #client.User_id#, or other User specific variables
User Specific Insert Statement • Associate #client.User_ID# to an Insert Statement when necessary
Secured Update Statement • Verify #client.User_ID# in an Update Statement when necessary
Secured Delete Statement • Verify #client.User_ID# in an Delete Statement when necessary
Fusebox Makes Security Simple • The structure of Fusebox makes security simple. • Focus on securing: • Entire Circuit Applications • Individual Fuseactions • Areas of a Fuse • User specific records in the database