application.cfc site variables

Report · Jun 04, 2014

I switched over to using application.cfc not too long ago. One thing I have struggled with is how to set variables that I use on individual pages of my site like I used to do in application.cfm. I have some passowrds for sftp services etc that I used to set in application.cfm. I have not been able to figure out how to make them work with application.cfc so I can call them where I need to.

I have tried setting them in onrequeststart, onapplicationstart etc. but nothing seems to work. The variables are never defined.

Does anyone have a working example of how to set variables that can be used on your site globally?

Is there a better way to store account passwords and variables like that that I am missing?

Report · Jun 04, 2014

siriiven,

There's a couple of things you need to understand with regard to Application.cfc and "variables". Since the various methods in Application.cfc (e.g. onRequestStart(), onApplicationStart(), etc.) are functions, they generally behave like functions in any other CFC component. If you store things in the "variables" scope, then it is accessible to all methods within the CFC. However, since each page request initially calls Application.cfc and runs the appropriate methods, and when running onRequest() it includes the target page of the request, your "variables" scope is refreshed on each request.

If you want to store data in variables that will persist across requests, you need to use one of the scopes that persist, such as Application, Session, or Client (although I'd avoid using Client if at all possible). If the data needs to be accessible globally, store it in Application; if it is specific to a single user's session, store it in Session.

If you want to store data that will only "live" during the length of the specific request, store it in the Request scope.

-Carl V.

Report · Jun 04, 2014

Thanks for getting back to me. That is useful info about how the cfc works!

Basically I am just looking for the most secure way to store an sftp connection account/password. Someone will fill out a form and a file will be SFTP'd. I used to have the passowrd in application.cfm.

What would be the best way to set this password? On the page itself? Or would it be more secure trying to get it working via application.cfc?

Report · Jun 05, 2014

For security reasons, I would try to avoid embedding the password anywhere in your ColdFusion code. You might put it in a "config" file outside of the webroot, then use ColdFusion to read it into an appropriately scoped variable. Assuming you don't <cfdump> or WriteDump() your variable scopes anywhere in your production code, and that you don't have "Enable Request Debugging Output" enabled on your production server, you could store the password in either the Application scope or a local page's variables scope. If there is only one page that will do FTP communication, then loading the password into a variable on that page would be fine. If you modularize the FTP stuff so it can be reused elsewhere in your application, then put the password in a variable in the application scope.

Since you'll need to pass an the password to the FTP connection, you can't hash it for added security, which is the best way to handle passwords. But you can encrypt/de-encrypt it using various functions within ColdFusion. I'd consider at least storing it in an encrypted form in the "config" file. While being no where near perfect security, it is better than storing the password in plain text in a file.

-Carl V.

Report · Jun 05, 2014

Thanks for the help! I think I will go with the config file and read it in.

Adobe Community

application.cfc site variables

1 Correct answer