Skip navigation
cjuszczak
Currently Being Moderated

Securing a remote CFC

Sep 9, 2013 4:41 PM

Tags: #jquery #ajax #cfc #cf9

Hello,

 

I'm in the middle of a project that is using AJAX and remote CFC's to allow data from the client side to interact with the server. This is an add-on for an existing application and am having a bit of difficulty figuring out the best way to secure a remote CFC. My jQuery makes the call to the CFC and returns the data as expected, but anyone can call the CFC directly with the right parameters and have the data returned.

 

I had tried a scenario where the CFC queries my the authentication log in my database and checks for a current login based on a user ID, however I've figured out the hard way that you can't nest a second query inside of a single function.

 

Here's my code:

 

<cffunction name="getSubCategoryAID" access="remote" returntype="query" returnformat="JSON" >

   

        <cfargument name="userID" type="numeric" required="true">

       

        <cfquery name="securityCheck" datasource="#THIS.dsn#">

        SELECT *

        FROM tbl_authLog

        WHERE userID = #arguments.userID# ORDER BY logID DESC

        LIMIT 1

        </cfquery>

       

        <cfset logTime = #securityCheck.dateTimeID#>

        <cfset currentTime = #Now()#>

       

        <cfif DateDiff(n, logTime, currentTime) LTE 30>

       

                   <cfargument name="mainCategoryID" type="any" required="true">

       

            <cfquery name="getSubCategoryAID" datasource="#THIS.dsn#">

            SELECT subCategoryAID, subCategoryAName

            FROM tbl_docSubCategoryA

            WHERE mainCategoryID = #arguments.mainCategoryID# ORDER BY subCategoryAName

            </cfquery>

           

            <cfreturn getSubCategoryAID>

        

         <cfelse>

        

                    <cfabort>

        

         </cfif>

   

</cffunction>

 

Any pointers on a good way to accomplish this task using the method described above would be great, but I'm also open to new ideas. Unfortunately my application does not use cflogin so I can't use user roles.

 

Thanks,

 

Charlie

 
Replies
  • Currently Being Moderated
    Sep 9, 2013 9:43 PM   in reply to cjuszczak

    You can set session variables when the user logs in and then check those in your CFC function, eg if session.userID EQ arguments.userID...

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points