What is the best way to include specific jQuery functions to authenticated/logged-in users on my ColdFusion page?

Question

I've got a ColdFusion page that I want to include some admin level jQuery functions to authenticated users but I'm not sure what the best practice is for achieving this. Currently, I have a cfif statement inside my document.ready that checks to see if the user is logged in (session scope) and if so, runs a cfinclude to a file with the additional code in it.

Is this the most secure way to get the business done or is there a better way?

$(document).ready(function(){ 
<cfif #variable# IS "authenticated">
<cfinclude template="includes/theadminfunctions.js">
</cfif>
// a bunch of other code here...
});

Answer 1

I would probably wrap it a little differently

<cfif variable IS "authenticated">
    <script src="includes/theadminfunctions.js.cfm"></script>
</cfif>
<script>
  $(document).ready(function(){
    //other code goes here
  });
</script>

Basically this is just useing a script include to handle the page since it is likely pure js. Just seems more semantically correct to me, unless your includes directory does not allow get requests...

So I would also add an authentication check to your theadminfunctions.js page by turning it into a .js.cfm page. That way no one can grab your functions and include them manually without authentication. Also make sure you lock down any APIs that the js functions are calling to require an authenticated user.

Answer 2

Ok, well first thing is to point out that the cfif is not actually inside your document.ready function. As far as CF server is concerned, the JS is just text, no different to HTML or anything else.

The CFML runs on the server and generates text (HTML/JS), which is passed to the web server then across the internet, then the user's browser interprets the text as HTML+JS.

Some of CF's functionality can blur the distinction there, by hiding some of the back and forth, but it's important to know what's actually happening: your CFML is generating text/code, but doesn't directly interact with that JavaScript.

But anyway, back to the main question... the way you're doing it ok, but not necessarily the best way. JavaScript should be in separate files so they can be cached/refreshed individually of the page. Also, depending on what your JS can contain, you may want to block access to the file itself.

Since you're using CF-level login checks, the way to do that is to use a CFM file for your JS and add a check at the top of the file.

I would probably do it like this:

<script type="text/javascript" src="includes/common.js"></script>
<cfif (logincheck) >
    <script type="text/javascript" src="includes/loggedin.js.cfm"></script>
</cfif>

Then inside loggedin.cfm you would have:

<!--- Check again for authentication, and exit if not. --->
<cfif NOT (logincheck) >
    <cfabort/>
</cfif>

<!--- Tell the browser this is a JS file (default is HTML) --->
<cfcontent reset type="text/javascript"/>

// js admin functions...
$(document).ready(function(){...});

<!--- Ensure debugging is always off to prevent the JS errors it would otherwise cause. --->
<cfsetting showdebugoutput="false" />
<!--- (you can consider a <cfabort/> here, depending on if you want onRequestEnd to run or not) --->