Automatic logon is a user convenience. Were you aware that CF could call Java code? Are you currently calling Java or other languages from CF? Let us know in the web.server.scripting discussion group.
Implementing Secure Automatic Authentication in ColdFusion
Don't just set a plain-text cookie to match users with stored server data; let users log on automatically and securely by taking advantage of CF's ability to interact with Java.
by Matt Liotta, DevX Engineering Manager
December 7, 2001
eb applications today must often offer a convenience feature called automatic authentication—the ability to "remember" users between visits, so that they don't have to log in for every visit to the site. To do that, the server must store a cookie on the user's machine that serves to identify that user the next time a browser running on that machine requests a page from the Web application. Unfortunately, while automatic authentication is a wonderful user convenience, it's also a security risk, because when you rely on stored data for authentication rather than user input, you're not authenticating a user—you're authenticating the machine from which a user last successfully logged in. Obviously, that can be dangerous when users log in from shared computers, such as those in a library or classroom. You should only implement automatic authentication if you're willing to accept that security risk.
The simplest way to implement automatic authentication is to create a cookie on the user's machine containing an identifying value, such as a UserID after the user logs in successfully the first time. On subsequent visits, the browser will send the UserID cookie, and your application can read the UserID value to log the user in. However, that exposes you to another security hole; it's possible for people to log in as other users simply by guessing their UserIDs.
It's quick, easy and you get access to all the articles on DevX.
This registration/login is to allow you to read articles on devx.com. Already a member?
To become a member of DevX.com create your Member Profile by completing the form below. Membership is free!
eb applications today must often offer a convenience feature called automatic authentication—the ability to "remember" users between visits, so that they don't have to log in for every visit to the site. To do that, the server must store a cookie on the user's machine that serves to identify that user the next time a browser running on that machine requests a page from the Web application. Unfortunately, while automatic authentication is a wonderful user convenience, it's also a security risk, because when you rely on stored data for authentication rather than user input, you're not authenticating a user—you're authenticating the machine from which a user last successfully logged in. Obviously, that can be dangerous when users log in from shared computers, such as those in a library or classroom. You should only implement automatic authentication if you're willing to accept that security risk.
