I'm in the middle of a project that is using AJAX and remote CFC's to allow data from the client side to interact with the server. This is an add-on for an existing application and am having a bit of difficulty figuring out the best way to secure a remote CFC. My jQuery makes the call to the CFC and returns the data as expected, but anyone can call the CFC directly with the right parameters and have the data returned.
I had tried a scenario where the CFC queries my the authentication log in my database and checks for a current login based on a user ID, however I've figured out the hard way that you can't nest a second query inside of a single function.
Here's my code:
<cffunction name="getSubCategoryAID" access="remote" returntype="query" returnformat="JSON" >
<cfargument name="userID" type="numeric" required="true">
<cfquery name="securityCheck" datasource="#THIS.dsn#">
WHERE userID = #arguments.userID# ORDER BY logID DESC
<cfset logTime = #securityCheck.dateTimeID#>
<cfset currentTime = #Now()#>
<cfif DateDiff(n, logTime, currentTime) LTE 30>
<cfargument name="mainCategoryID" type="any" required="true">
<cfquery name="getSubCategoryAID" datasource="#THIS.dsn#">
SELECT subCategoryAID, subCategoryAName
WHERE mainCategoryID = #arguments.mainCategoryID# ORDER BY subCategoryAName
Any pointers on a good way to accomplish this task using the method described above would be great, but I'm also open to new ideas. Unfortunately my application does not use cflogin so I can't use user roles.
You can set session variables when the user logs in and then check those in your CFC function, eg if session.userID EQ arguments.userID...