Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Implementing Secure Automatic Authentication in ColdFusion

Don't just set a plain-text cookie to match users with stored server data; let users log on automatically and securely by taking advantage of CF's ability to interact with Java.


advertisement


eb applications today must often offer a convenience feature called automatic authentication—the ability to "remember" users between visits, so that they don't have to log in for every visit to the site. To do that, the server must store a cookie on the user's machine that serves to identify that user the next time a browser running on that machine requests a page from the Web application. Unfortunately, while automatic authentication is a wonderful user convenience, it's also a security risk, because when you rely on stored data for authentication rather than user input, you're not authenticating a user—you're authenticating the machine from which a user last successfully logged in. Obviously, that can be dangerous when users log in from shared computers, such as those in a library or classroom. You should only implement automatic authentication if you're willing to accept that security risk.The simplest way to implement automatic authentication is to create a cookie on the user's machine containing an identifying value, such as a UserID after the user logs in successfully the first time. On subsequent visits, the browser will send the UserID cookie, and your application can read the UserID value to log the user in. However, that exposes you to another security hole; it's possible for people to log in as other users simply by guessing their UserIDs.

One popular solution is to use some form of encryption to create a signature for the user. You store the signature in the cookie along with the UserID. However, ColdFusion's (CF's) encryption abilities aren't the best around. What you need is a solution that is not only secure, but also standards-based, so you can share authentication information with other applications (for example, non-CF based applications).Extending CF Encryption
Because of CF's weak encryption abilities you will need to extend them in some fashion. There are numerous options available for extending CF, but in this article, I'll show you how to use Java, because it's popular and cross-platform support. However, you could just as easily use C++ or any other language capable of writing COM or CORBA components.

To use Java with CF, you must be using CF 4.5 or higher. Additionally, you will need some version of the Java 2 Development Kit (JDK). While the JDK version shouldn't matter for this implementation, it is important to point out that all the code referenced here was tested with version 1.3. See the CF documentation for information on configuring CF to work with Java.



Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date