tags:

views:

64

answers:

2
+1  Q: 

securing remote CFCs in Coldfusion

I'm having a lot of trouble finding information about securing remote functions on Coldfusion CFCs for AJAX calls. Lets say you're retrieving sensitive information for a user after the user logs in to the site via an AJAX call. You call something like this:

https://www.mySite.com/pathToCFC/MyCFC.cfc?method=getBankInfo&userID=2343

So this is obviously super insecure as anyone could call this from a browser and change userID to get different user's bank info.

I've read about using the roles attribute on the remote function and using cflogin to authenticate a user, but even with this in place, wouldn't you have to pass the userID like the above call? Wouldn't an authenticated user still be able to switch the userID to discover new user's bank info?

+5  A: 

Don't pass the userid from the client. The userid and other sensitive data should be stored server-side. In fact, every bit of data passed from the client must be considered suspect, and validated.

So, if you're using cflogin, for instance, and you're on a single server, or a sticky-sessioned server, then store the userid and any other critical information in the session scope.

On each request, you fetch this data from the session, not from what the client provides.

This a good starting point on User Security in Coldfusion

Edward M Smith  2010-10-17 15:19:21
so if I called the cfc via an ajax call, would the remote cfc be able to access the session scope? If the call from the browser passes no arguments to the remote function, how does this cfc know what session it needs to use?
DannyLeavitt  2010-10-17 15:52:02
When you turn on session management in the application.cfc (or application.cfm), the CF server uses session cookies (cfid and cftoken). So, on each request, the cfserver examines those cookies, and if they're valid, allows access to the session variables for that session.
Edward M Smith  2010-10-17 16:23:53
lets say I create a remote CFC function on one website on a given server, and create a different website using the same CFserver. This website allows session management and then makes a call to this remote CFC that resides in the folders of another website. The browser calls this function on the clientside. Would the remote CFC still know to use the session scope for this particular application? Does a session cookie get somehow passed automatically to these remote functions when they are called on the client side?
DannyLeavitt  2010-10-17 21:31:56
It depends. The session scope belongs to an application. "Applications" in Coldfusion are somewhat amorphous. The only thing that distinguishes one application from another on a single Coldfusion server is the application name, set either in the application.cfc or the application.cfm. So, if the two websites had different application names, then they would not share sessions. If the two websites had the same application name, then they would.
Edward M Smith  2010-10-18 00:05:09
Paying attention to what edward said, you would never send a userid as you have above in any situation. Either use a UUID as the key or set a UUID in addition to the userID that you are using. You can pass the UUID through https without having the ability to change characters to access another account as you noted above.
Jason Tabler  2010-10-18 17:59:05
A: 

Wait a second, if you have user X which has to request his details from the server, you don't need his ID, you have it in session, or if you use cflogin feature you'll have getUserAuth().

I you have administrator who can see other users details and you're worried about him seeing bank details you need roles, cf's roles or your custom solution etc.

In any case you don't need to send explicit call "gimme bank account details for user 3456"..

zarko.susnjar  2010-10-18 12:52:42

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?