eb applications today must often offer a convenience feature called automatic authentication
the ability to "remember" users between visits, so that they don't have to log in for every visit to the site. To do that, the server must store a cookie on the user's machine that serves to identify that user the next time a browser running on that machine requests a page from the Web application. Unfortunately, while automatic authentication is a wonderful user convenience, it's also a security risk, because when you rely on stored data for authentication rather than user input, you're not authenticating a useryou're authenticating the machine from which a user last successfully logged in. Obviously, that can be dangerous when users log in from shared computers, such as those in a library or classroom. You should only implement automatic authentication if you're willing to accept that security risk.The simplest way to implement automatic authentication is to create a cookie on the user's machine containing an identifying value, such as a UserID
after the user logs in successfully the first time. On subsequent visits, the browser will send the UserID
cookie, and your application can read the UserID
value to log the user in. However, that exposes you to another security hole; it's possible for people to log in as other users simply by guessing their UserIDs
One popular solution is to use some form of encryption to create a signature for the user. You store the signature in the cookie along with the UserID. However, ColdFusion's (CF's) encryption abilities aren't the best around. What you need is a solution that is not only secure, but also standards-based, so you can share authentication information with other applications (for example, non-CF based applications).Extending CF Encryption
Because of CF's weak encryption abilities you will need to extend them in some fashion. There are numerous options available for extending CF, but in this article, I'll show you how to use Java, because it's popular and cross-platform support. However, you could just as easily use C++ or any other language capable of writing COM or CORBA components.
To use Java with CF, you must be using CF 4.5 or higher. Additionally, you will need some version of the Java 2 Development Kit (JDK). While the JDK version shouldn't matter for this implementation, it is important to point out that all the code referenced here was tested with version 1.3. See the CF documentation for information on configuring CF to work with Java.