• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

I need to add extra security features to my apps

Contributor ,
Feb 25, 2010 Feb 25, 2010

Copy link to clipboard

Copied

I have a few CF apps that I've created for my office that use the standard CF8 authentication system (cflogin).  Passwords are stored encrypted in the database (which is not web-browsable) and I've enforced strong password standards.

My office's security team has decided to enforce additional security requirements, but I'm not sure how to add them to the app, save creating my own login system from scratch.  Two of the more complex ones are:

- An admin needs to have the ability to not only disable a user account, but also kill any active sessions for that user

- Forbid users from having the same app opened in more than one browser

I'm not sure how to implement these.  Any advice would be appreciated.

TOPICS
Advanced techniques

Views

643

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Feb 25, 2010 Feb 25, 2010

Copy link to clipboard

Copied

Several of these issues sound like things that should actually be enforced (and controlled) at the web server level.

The business of "simultaneous sessions" has to be handled at the web-server.  Ditto the buiness of being able to selectively kill an active session.

You probably want for your application to use LDAP (nee "Active Directory") as its primary source of information for login and authentication; not a separate database.  This would be true regardless of the operating-system used.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Feb 26, 2010 Feb 26, 2010

Copy link to clipboard

Copied

Thanks, that helps.  Does anyone have any links to using LDAP with ColdFusion?

Another thing I have to do is remember the last 24 passwords that the user has used (can you tell that LAN people came up with these standards?) and prevent them from being used again.  I guess the best way to do this is to keep all the old passwords in a table, along with the date they were created, and match that against the new passwords.   Is there a better way to do that?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Feb 26, 2010 Feb 26, 2010

Copy link to clipboard

Copied

Coldfusion has a cfldap tag.  Googling the name of any tag quickly leads you to the page that tell you how to use it.

Also, if you are going to autheticate with ldap, you shouldn't have to worry about passwords at all. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Mar 08, 2010 Mar 08, 2010

Copy link to clipboard

Copied

LATEST

Ideally, you will be able to push the entire security up to the web-server, such that you are required to pass LDAP authentication before you are allowed to get to the web application at all.  Once you're there, the web server will provide the app with a trustworthy LDAP-based credential that represents who the connecting user actually is.  You can use this identifier for your application's authorization requirements, but you no longer have to worry about authentication at all:  if the user's there, he's authenticated.

The best way, then, to handle authorization is to base your decisions upon the result of <cfldap> queries.  Since you already have a trustworthy notion of who the user is, you can ask LDAP to tell you (by some appropriate means) what he can and cannot do.

Put all of this logic into its own CFC-library so that the logic is self-contained and easily auditable.

The I.T. operations team (in any Windows-based shop) will already know how to manage users through LDAP, even if they don't actually realize that it's LDAP.  You've just pushed both the authentication and the authorization aspects out into something that they can easily manage, using the tools that they are already used to.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation