Copy link to clipboard
Copied
I have a few CF apps that I've created for my office that use the standard CF8 authentication system (cflogin). Passwords are stored encrypted in the database (which is not web-browsable) and I've enforced strong password standards.
My office's security team has decided to enforce additional security requirements, but I'm not sure how to add them to the app, save creating my own login system from scratch. Two of the more complex ones are:
- An admin needs to have the ability to not only disable a user account, but also kill any active sessions for that user
- Forbid users from having the same app opened in more than one browser
I'm not sure how to implement these. Any advice would be appreciated.
Copy link to clipboard
Copied
Several of these issues sound like things that should actually be enforced (and controlled) at the web server level.
The business of "simultaneous sessions" has to be handled at the web-server. Ditto the buiness of being able to selectively kill an active session.
You probably want for your application to use LDAP (nee "Active Directory") as its primary source of information for login and authentication; not a separate database. This would be true regardless of the operating-system used.
Copy link to clipboard
Copied
Thanks, that helps. Does anyone have any links to using LDAP with ColdFusion?
Another thing I have to do is remember the last 24 passwords that the user has used (can you tell that LAN people came up with these standards?) and prevent them from being used again. I guess the best way to do this is to keep all the old passwords in a table, along with the date they were created, and match that against the new passwords. Is there a better way to do that?
Copy link to clipboard
Copied
Coldfusion has a cfldap tag. Googling the name of any tag quickly leads you to the page that tell you how to use it.
Also, if you are going to autheticate with ldap, you shouldn't have to worry about passwords at all.
Copy link to clipboard
Copied
Ideally, you will be able to push the entire security up to the web-server, such that you are required to pass LDAP authentication before you are allowed to get to the web application at all. Once you're there, the web server will provide the app with a trustworthy LDAP-based credential that represents who the connecting user actually is. You can use this identifier for your application's authorization requirements, but you no longer have to worry about authentication at all: if the user's there, he's authenticated.
The best way, then, to handle authorization is to base your decisions upon the result of <cfldap> queries. Since you already have a trustworthy notion of who the user is, you can ask LDAP to tell you (by some appropriate means) what he can and cannot do.
Put all of this logic into its own CFC-library so that the logic is self-contained and easily auditable.
The I.T. operations team (in any Windows-based shop) will already know how to manage users through LDAP, even if they don't actually realize that it's LDAP. You've just pushed both the authentication and the authorization aspects out into something that they can easily manage, using the tools that they are already used to.