Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com
Securing a Fusebox Application 1.Understand Fusebox terminology 2.Understand your users 3.Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm 4.Finally, Understand Secured SQL Statements
1. Fusebox Terminology Home Application Circuit Applications Fusebox Fuseactions Fuses
Home Application This is made up of many circuit applications Example: SecretAgents.com
Circuit Applications A section of a larger application Example: SecretAgents.com/members
The Fusebox This controls what a user is attempting to do The default web server template Index.cfm is the “Fusebox”
Fuseactions This is a single action that the user is attempting to perform Allows for one or more Fuses in each Fuseaction
Fuses One of the.cfm files containing the code needed to run a Fuseaction File naming convention: dsp_file.cfm (display) act_file.cfm (action) qry_file.cfm (query) and app_file.cfm (application)
2. Who Are Your Users? Public Users Registered Public Users Registered Private Users
Public Users Any user in the world who has not identified him/herself Examples: –Reading threads in a forum –Viewing products –Reading news articles
Registered Public Users A user whom has freely registered These users can do certain public tasks that need to be associated with the user Examples: –Posting a thread to a forum –Purchasing products –Suggest news article
Registered Private Users These are groups of users that have been granted access to private areas of a site Examples: –Moderating a forums –Editing product data –Editing news articles
3. Fusebox Security App_Login.cfm – When a user is attempting to login App_Logout.cfm – When a user is attempting to Logout App_Secure.cfm – Securing an entire Circuit Application or Fuseaction
Security Database Tables These tables can be defined by you My Suggestion: –Three tables: Users, Groups, User_Groups
App_Login.cfm This file can be defined by you Verify the user is who they say they are Assign them their #Client.User_ID# Assign them their list of Groups: #Client.User_Groups# Return them to where they should be with
App_Logout.cfm This file can be defined by you Reset CFID/CFTOKENS if coming from another site Remove Client Variables Set/Delete CFID/CFTOKEN cookies App_Logout.cfm is commonly called in App_globals.cfm
App_Secure.cfm This file can be defined by you Used for verifying Registered Public and Private users If the user does not have permissions it will send them to your login form
Security Variables #Client.User_id# defines “who” the user is, needed for Registered Public and Registered Private, this needs to be set by your login script #Client.User_Groups# contains a list of “Groups” the user belongs to, needed for Registered Private, this needs to be set by your login script #Attributes.Groups# contains a list of groups allowed to access the area used in App_Secure.cfm
How to Use App_secure.cfm How to secure a Circuit application How to secure a Fuseaction How to secure an area of a Fuse
Securing a Circuit Application If every Fuseaction in a Circuit application needs to be secured, call App_Secure.cfm with CFMODULE at the top of index.cfm Assign the necessary groups to the “groups” attribute of App_Secure.cfm
Securing a Fuseaction For each Fuseaction that needs to be secured, call App_Secure.cfm in the CFCASE statement with the necessary groups
Securing an Area of a Fuse Place a simple CFIF statement looking at the #client.user_groups# list to see if a user belongs to the appropriate group and may view the area
4. Secured SQL Statements Even if a user belongs to a group, they should only be able to edit or delete “their” data Associate new records (inserts) with #client.User_ID#, or other User specific variables Verify edits/deletes with #client.User_id#, or other User specific variables
User Specific Insert Statement Associate #client.User_ID# to an Insert Statement when necessary
Secured Update Statement Verify #client.User_ID# in an Update Statement when necessary
Secured Delete Statement Verify #client.User_ID# in an Delete Statement when necessary
Fusebox Makes Security Simple The structure of Fusebox makes security simple. Focus on securing: –Entire Circuit Applications –Individual Fuseactions –Areas of a Fuse –User specific records in the database