Upon each request you would verify the cookie with
This should only work with browser cookies, i.e. the ones that get removed when the browser closes. If this was a persistent cookie it would not work. Once again, this is still experimental, come to think about it, I probably should not have included it here yet, but I might as well and get some feedback on it.
Proper Error Handling
You might ask yourself Why worry about error handling?, but have you had a proper look at the information that is displayed when a ColdFusion error is thrown? It could give malicious users information like; configuration, the physical location of the application, datasource name, database tables, and maybe even usernames and passwords plus much more information that is very valuable to someone trying to do harm.
On a production machine you should prevent any debugging from being displayed, and to save resources you should probably turn any type of debugging completely off through the ColdFusion administrator panel.
Use an Error handler in your application that catches all errors, notifies you of the error, logs the error and displays a nice message to the user instead of a white page with stuff they cannot understand. Try and keep the message as simple as possible, on HYPERLINK "http://www.clickfind.com.au" www.clickfind.com.au we try and make it a little fun, and the heading of our page is Oops!
Oops, there was a problem!
The problem could be caused by a network, database, programming (we're only human) or connection problem, you could try again to see if the problem is solved.
The technical team (support@clickfind.com.au) has been notified of the problem and will work on fixing this issue as soon as possible.
A reference number for this problem is [reference number here]
Additional information
Following is some additional information that might be helpful.
You are signed in as #session.User.getScreenName()#
You are not signed in.
You do not have JavaScript enabled.
You accept cookies.
You do not accept cookies, you should know that this site requires cookies to be enabled.
Your IP address is #cgi.remote_addr#
Your reverse DNS is #request.reverseDNS()#
The above information gives the user confidence that the error is being looked at, and the information displayed would help you debug the error if you were speaking to the client on the phone. It might be that they do not have cookies or JavaScript enabled, the output above would give you that information.
Following will give you some idea on how to setup error handlers in your application.
If you are on ColdFusion MX7 or higher you would use the onError event handler in the application.cfc
Note that the output is set to true, because you will be displaying HTML to the user upon an error.
Between the function tags you would have a cfmail to notify you of the error and email any information about the error itself. You would also include the HTML to display to the user with the friendly error message. And last but not least, make sure we are adhering to the internet rules and return a 500 status error.
In ColdFusion MX6 you would be using the tag to include an error template that performs the same actions described above.
Input Validation
You cannot rely on your users to always understand what they need to enter in your form fields, sometimes they make a mistake, dont understand or are trying to break your system and enter characters that you would not be expecting.
For example, you are expecting a date in your field like 05/11/72 but someone writes 5 Nov 1972, or a malicious user inputs my name in a first name field.
Perform client side validation with JavaScript should only be considered a nice feature to make life easier for your users, it should never be seen as a final solution for data validation. JavaScript can be turned off in the browser and bypassed with ease. ColdFusion Server-side validation is the only way to really be sure that you are able to validate the data.
What can happen if you dont validate your data? You can end up with a messy database full of information that is worth nothing, it can crash your application, or worse, a malicious user could insert nasty tags that could grab peoples cookies and they could hijack their session.
ColdFusion now has some great tags that can handle the validation for you, but Ive stuck with the old school and like to have full control with Regular Expressions.
If you are expecting an integer you can use the ColdFusion function val()
When you expect alphanumeric characters and spaces only, you could use the following regular expression
The above basically means; replace everything BUT characters from A to Z, numbers from 0 to 9 and a space. You can get pretty fancy with Regular Expressions and also start checking the format of a string etc.
Securing Protected Areas
Securing a protected area might sound easy to do, but here are some other things to consider;
have your username and password posted to a page under SSL
hash passwords in the database so that even if the database is compromised, no passwords can be retrieved, this also protects the passwords against snooping employees
destroy all session variables upon sign out
use a session time-out
log all sign in events and deny access to someone when they have many unsuccessful sign in attempts
SSL
To make sure the page you post the username and password for sing in to is under SSL you can put the following ColdFusion code on the page that accepts the sign in details.
The above code would redirect the user to an SSL page.
Hashed passwords
When you work with hashed passwords, youll need to start with inserting a hashed version of the password chosen by the user. When the user signs up and picks a password you would use the following code to create a hash of the password and insert it into the database;
variables.hashedPassword = hash( form.password & "stringonlyknownbyme" );
Someone who chose the password test will end up with the following hash in the database
79D2F01DE1937C0D6D9608C7026DD8FA
After you stored the hash, you never have to deal with the real password again.
To check if the user entered the right password when trying to sign in, you would use the following ColdFusion code.
variables.hashedPassword = hash( getPassword() & application.seed );
SELECT myIdentity
, username
, password
FROM tbl_user
WHERE ( username = )
AND ( password = )
if ( rsLoginCheck.recordCount neq 0
and rsLoginCheck.username is form.username
and rsLoginCheck.password is variables.hashedPassword )
{
// handle logic here to do whatever needs to be done for a successful sign in
}
else
{
errorMessage = "oops! Those aren’t the right sign in details. Please try again";
}
Destroy session variables
To destroy all session variables set during the session you would use the following code;
structDelete( session, "user" );
Replace user with the session variable youve set.
Session time-out
Use a session time out thats not to high, 20 or 30 minutes will usually do. Setting the time-out high will not only consume unnecessary resources on the server, but it also give malicious users more time to try and gain access to a session that has not been destroyed.
Form being submitted outside of your domain
It is very easy for a malicious user to write a script that submits form values to your website. They might do this to submit SPAM, create fake accounts or plenty of other reasons. You can prevent this from happening, or at least make things more difficult by checking for a referrer in the headers, you do this as following;
We use a Regular Expression here, because if you would use contains, the malicious user might be smart enough to put your domain in the referrer through a query string. The malicious user could create a link on their site with the following string in the URL ?somedomain=http:://www.yourdomain.com and when clicked it would activate the script. Obviously the referrer would contain your domain, but would not be at the start of the string, which is what the Regular Expression checks for.
Automated data mining
Someone data mining your site could cost you bandwidth, crash your application, and possibly your reputation if they post the information elsewhere.
One way to make life harder for someone trying to data mine your site, is by hashing the identities of the records you are hosting. Lets say you have a website that displays classifieds, and you want to make sure that no one can easily data mine the classifieds.
Lets say a URL to display a classified is HYPERLINK "http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20" http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20
It would be easy to write a cfloop from 1 to 100000 and make a cfhttp request in between and then use cffile to write the content to disk. Perform any actions on the data later.
An easy way to prevent this would be to use a hash of the classifiedIdentity, turning your URL into
HYPERLINK "http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20&hash=2924E8B24402E85105533CF97CD24BF9" http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20&hash=2924E8B24402E85105533CF97CD24BF9
In your classified.cfm page you would implement the following code to check the hash
There are obviously many more ways to prevent automated data mining, the above is just one example.
AUTHOR Taco Fleur Page PAGE 1 DATE \@ "d/MM/yyyy" 25/01/2008
7 8 9 F G H I J T U V n o q r C D E F W
»xgx !j h hm OJ QJ U^J h hm OJ QJ ^J h hm j h Uh\ h 0J j h Uj h Uhz" h'B h h h hi&