advanced fusebox: securing a fusebox application by steve nelson secretagents.com

Advanced Fusebox:

Securing a Fusebox Application

By Steve Nelson

SecretAgents.com

Securing a Fusebox Application

1. Understand Fusebox terminology

2. Understand your users

3. Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm

4. Finally, Understand Secured SQL Statements

1. Fusebox Terminology

Home Application Circuit Applications Fusebox Fuseactions Fuses

Home Application

This is made up of many circuit applications

Example: SecretAgents.com

Circuit Applications

A section of a larger application Example: SecretAgents.com/members

The Fusebox

This controls what a user is attempting to do The default web server template Index.cfm

is the “Fusebox”

Fuseactions

This is a single action that the user is attempting to perform

Allows for one or more Fuses in each Fuseaction

Fuses One of the .cfm files containing the code

needed to run a Fuseaction File naming convention: dsp_file.cfm (display)

act_file.cfm (action) qry_file.cfm (query) and app_file.cfm (application)

2. Who Are Your Users?

Public Users Registered Public Users Registered Private Users

Public Users

Any user in the world who has not identified him/herself

Examples:– Reading threads in a forum– Viewing products– Reading news articles

Registered Public Users

A user whom has freely registered These users can do certain public tasks that

need to be associated with the userExamples:– Posting a thread to a forum– Purchasing products– Suggest news article

Registered Private Users

These are groups of users that have been granted access to private areas of a siteExamples:– Moderating a forums– Editing product data– Editing news articles

3. Fusebox Security

App_Login.cfm – When a user is attempting to login

App_Logout.cfm – When a user is attempting to Logout

App_Secure.cfm – Securing an entire Circuit Application or Fuseaction

Security Database Tables

These tables can be defined by you My Suggestion:

– Three tables: Users, Groups, User_Groups

App_Login.cfm

This file can be defined by you Verify the user is who they say they are Assign them their #Client.User_ID# Assign them their list of Groups:

#Client.User_Groups# Return them to where they should be with

<CF_RETURNFUSEACTION>

App_Logout.cfm

This file can be defined by you Reset CFID/CFTOKENS if coming from

another site Remove Client Variables Set/Delete CFID/CFTOKEN cookies App_Logout.cfm is commonly called in

App_globals.cfm

App_Secure.cfm

This file can be defined by you Used for verifying Registered Public and

Private users If the user does not have permissions it will

send them to your login form

Security Variables #Client.User_id# defines “who” the user is,

needed for Registered Public and Registered Private, this needs to be set by your login script

#Client.User_Groups# contains a list of “Groups” the user belongs to, needed for Registered Private, this needs to be set by your login script

#Attributes.Groups# contains a list of groups allowed to access the area used in App_Secure.cfm

How to Use App_secure.cfm

How to secure a Circuit application How to secure a Fuseaction How to secure an area of a Fuse

Securing a Circuit Application

If every Fuseaction in a Circuit application needs to be secured, call App_Secure.cfm with CFMODULE at the top of index.cfm

Assign the necessary groups to the “groups” attribute of App_Secure.cfm

Securing a Fuseaction For each Fuseaction that needs to be secured,

call App_Secure.cfm in the CFCASE statement with the necessary groups

Securing an Area of a Fuse

Place a simple CFIF statement looking at the #client.user_groups# list to see if a user belongs to the appropriate group and may view the area

4. Secured SQL Statements

Even if a user belongs to a group, they should only be able to edit or delete “their” data

Associate new records (inserts) with #client.User_ID#, or other User specific variables

Verify edits/deletes with #client.User_id#, or other User specific variables

User Specific Insert Statement

Associate #client.User_ID# to an Insert Statement when necessary

Secured Update Statement

Verify #client.User_ID# in an Update Statement when necessary

Secured Delete Statement

Verify #client.User_ID# in an Delete Statement when necessary

Fusebox Makes Security Simple

The structure of Fusebox makes security simple.

Focus on securing:– Entire Circuit Applications– Individual Fuseactions– Areas of a Fuse– User specific records in the database