Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com.
-
Upload
ronald-simon -
Category
Documents
-
view
223 -
download
0
Transcript of Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com.
Advanced Fusebox:
Securing a Fusebox Application
By Steve Nelson
SecretAgents.com
Securing a Fusebox Application
1. Understand Fusebox terminology
2. Understand your users
3. Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm
4. Finally, Understand Secured SQL Statements
1. Fusebox Terminology
Home Application Circuit Applications Fusebox Fuseactions Fuses
Home Application
This is made up of many circuit applications
Example: SecretAgents.com
Circuit Applications
A section of a larger application Example: SecretAgents.com/members
The Fusebox
This controls what a user is attempting to do The default web server template Index.cfm
is the “Fusebox”
Fuseactions
This is a single action that the user is attempting to perform
Allows for one or more Fuses in each Fuseaction
Fuses One of the .cfm files containing the code
needed to run a Fuseaction File naming convention: dsp_file.cfm (display)
act_file.cfm (action) qry_file.cfm (query) and app_file.cfm (application)
2. Who Are Your Users?
Public Users Registered Public Users Registered Private Users
Public Users
Any user in the world who has not identified him/herself
Examples:– Reading threads in a forum– Viewing products– Reading news articles
Registered Public Users
A user whom has freely registered These users can do certain public tasks that
need to be associated with the userExamples:– Posting a thread to a forum– Purchasing products– Suggest news article
Registered Private Users
These are groups of users that have been granted access to private areas of a siteExamples:– Moderating a forums– Editing product data– Editing news articles
3. Fusebox Security
App_Login.cfm – When a user is attempting to login
App_Logout.cfm – When a user is attempting to Logout
App_Secure.cfm – Securing an entire Circuit Application or Fuseaction
Security Database Tables
These tables can be defined by you My Suggestion:
– Three tables: Users, Groups, User_Groups
App_Login.cfm
This file can be defined by you Verify the user is who they say they are Assign them their #Client.User_ID# Assign them their list of Groups:
#Client.User_Groups# Return them to where they should be with
<CF_RETURNFUSEACTION>
App_Logout.cfm
This file can be defined by you Reset CFID/CFTOKENS if coming from
another site Remove Client Variables Set/Delete CFID/CFTOKEN cookies App_Logout.cfm is commonly called in
App_globals.cfm
App_Secure.cfm
This file can be defined by you Used for verifying Registered Public and
Private users If the user does not have permissions it will
send them to your login form
Security Variables #Client.User_id# defines “who” the user is,
needed for Registered Public and Registered Private, this needs to be set by your login script
#Client.User_Groups# contains a list of “Groups” the user belongs to, needed for Registered Private, this needs to be set by your login script
#Attributes.Groups# contains a list of groups allowed to access the area used in App_Secure.cfm
How to Use App_secure.cfm
How to secure a Circuit application How to secure a Fuseaction How to secure an area of a Fuse
Securing a Circuit Application
If every Fuseaction in a Circuit application needs to be secured, call App_Secure.cfm with CFMODULE at the top of index.cfm
Assign the necessary groups to the “groups” attribute of App_Secure.cfm
Securing a Fuseaction For each Fuseaction that needs to be secured,
call App_Secure.cfm in the CFCASE statement with the necessary groups
Securing an Area of a Fuse
Place a simple CFIF statement looking at the #client.user_groups# list to see if a user belongs to the appropriate group and may view the area
4. Secured SQL Statements
Even if a user belongs to a group, they should only be able to edit or delete “their” data
Associate new records (inserts) with #client.User_ID#, or other User specific variables
Verify edits/deletes with #client.User_id#, or other User specific variables
User Specific Insert Statement
Associate #client.User_ID# to an Insert Statement when necessary
Secured Update Statement
Verify #client.User_ID# in an Update Statement when necessary
Secured Delete Statement
Verify #client.User_ID# in an Delete Statement when necessary
Fusebox Makes Security Simple
The structure of Fusebox makes security simple.
Focus on securing:– Entire Circuit Applications– Individual Fuseactions– Areas of a Fuse– User specific records in the database