1 Reply Latest reply on Sep 9, 2013 9:43 PM by pete_freitag

    Securing a remote CFC




      I'm in the middle of a project that is using AJAX and remote CFC's to allow data from the client side to interact with the server. This is an add-on for an existing application and am having a bit of difficulty figuring out the best way to secure a remote CFC. My jQuery makes the call to the CFC and returns the data as expected, but anyone can call the CFC directly with the right parameters and have the data returned.


      I had tried a scenario where the CFC queries my the authentication log in my database and checks for a current login based on a user ID, however I've figured out the hard way that you can't nest a second query inside of a single function.


      Here's my code:


      <cffunction name="getSubCategoryAID" access="remote" returntype="query" returnformat="JSON" >


              <cfargument name="userID" type="numeric" required="true">


              <cfquery name="securityCheck" datasource="#THIS.dsn#">

              SELECT *

              FROM tbl_authLog

              WHERE userID = #arguments.userID# ORDER BY logID DESC

              LIMIT 1



              <cfset logTime = #securityCheck.dateTimeID#>

              <cfset currentTime = #Now()#>


              <cfif DateDiff(n, logTime, currentTime) LTE 30>


                         <cfargument name="mainCategoryID" type="any" required="true">


                  <cfquery name="getSubCategoryAID" datasource="#THIS.dsn#">

                  SELECT subCategoryAID, subCategoryAName

                  FROM tbl_docSubCategoryA

                  WHERE mainCategoryID = #arguments.mainCategoryID# ORDER BY subCategoryAName



                  <cfreturn getSubCategoryAID>










      Any pointers on a good way to accomplish this task using the method described above would be great, but I'm also open to new ideas. Unfortunately my application does not use cflogin so I can't use user roles.