Copy link to clipboard
Copied
I am trying to implement a page security system using CFLogin to track user roles. When a page is being served that is not authorized for the given role, I show a not authorized page and do a CFAbort to stop the rest of the page from rendering. However, after the CFAbort, the user's CFLogin credentials are lost force them to relog back in. Is there a method that doesn't require a relogin action?
Copy link to clipboard
Copied
Hi,
Depending on the site setup, CFABORT might not be the best choice.
For instance, if you have the header and footer called on each page, the the CFABORT might prevent the footer from rendering the page whole page.
Since you are checking for permissions on the page anyhow, how about a simple redirect to a different page if they don't have permission?
Copy link to clipboard
Copied
A simple redirect would work, but how would I go about doing that so the currently requested page doesn't get served.
My security logic is in my Application.cfc and I determine if the user is allowed to access page. If not, I could do a redirect to a not authorized page but I need to stop the execution of the rest of the page from loading.
I have also implemented a custom security model. (It didn't seem like coldfusion had a role based directory security model similar to the role provider in ASP.Net) I serve pages based user roles and directory configurations.
PS. sorry for any knowledge gaps as I am fairly new to coldfusion.
Copy link to clipboard
Copied
When a page is being served that is not authorized for the given role, I show a not authorized page and do a CFAbort to stop the rest of the page from rendering.
How do you check, and how do you show the not authorized page?
Copy link to clipboard
Copied
If is wasn't clear in my last post, I read a security configuration file and get the directory being served along with roles allowed. If the user is in the roles allowed, they can access otherwise, I do a cfinclude of a not authorized page and a cfabort.
Copy link to clipboard
Copied
Thanks guys for the help. It made me look over the logic and see the order in which I placed the abort was incorrect. thanks again.
Copy link to clipboard
Copied
No eyes see it clearer than yours. Good luck.