Geek Answers Handbook

Protect Remote CFCs in Coldfusion

I have a lot of problems finding information about securing remote functions on CFC Coldfusion for AJAX calls. Suppose you receive confidential information for a user after a user logs on to the site through an AJAX call. You call something like this:

https://www.mySite.com/pathToCFC/MyCFC.cfc?method=getBankInfo&userID=2343

Thus, this is obviously unsafe, since anyone can call it from the browser and change the user ID to get information about various user banks.

I read about using the role attribute in a remote function and using cflogin to authenticate the user, but even with this in place, is it not necessary to pass in the user ID as the above call? Can not an authenticated user be able to switch the user ID to find out information about the new user bank?

+4
source share
2 answers

Do not miss the user ID from the client. User and other sensitive data must be stored on the server side. In fact, every bit of data transmitted from the client should be considered suspicious and verified.

So, if you use cflogin, for example, and you are on the same server or on a sticky session server, then save the user ID and any other important information in the session area.

In each request, you extract this data from the session, and not from what the client provides.

This is a good starting point for User Safety in Coldfusion.

+7
source

Wait a second, if you have user X who needs to request his data from the server, you do not need his identifier, you have it in the session, or if you use the cflogin function, you will have getUserAuth ().

I have an administrator who can see the information of other users, and you are worried that he sees bank details in which you need roles, cf roles or your own solution, etc.

In any case, you do not need to send an explicit call "gimme bank details for user 3456."

0
source

More articles:


All Articles