Dan Mackey On ColdFusion Development

On my current project, security is top priority. The application is working with sensitive financial data so I really have to lock things down. Like most of my solutions ideas, this idea spawned while in the shower and thinking of how I was going to secure my URL variables.

To give a bit of background on the problem:

The framework we are using is our in-house application framework powered by ColdFusion which we have improved over the last 5 or 6 years. The security lies in the actual framework but my project uses quite a bit of AJAX so my ajax calls need to be secured in someway. Why not use the existing framework security I hear you cry? Well I do...to a point. But this is more of an extension to it. Typically an ajax call is done via URL GET and normally to a small action file. This call could easily be called and modified by an unscrupulous person as the main framework security is sometimes bypassed.

The solution:

In my application I have users logged in and I hold their userId in the session variable session.userId

My url would typically look like:

The problem with this is that on the EditTimeSheet page you must in someway check that the user calling the url is valid and that the timeSheetId passed is actually the intended record.

Knowing that I am storing the current users ID in session.userId I reckoned I could use this variable to encode the URL and decode it automatically on the receiving end, again using the users session.userId as the decoding key.

When this link is now click on in the browser, it looks like:

The next thing we have to do is write some code to decrypt this URL on the receiving end. This is the code that does it:

What this code does is check to see if only one URL var is passed. Then it checks to see if has a & or a =. It then attempts to decrypt it using the session.userId and recreates the ColdFusion structure URL[]

In a simple example of the output, have a look at the screen below:

Now, the above is a simple example of the whole concept and I have hard coded USERID in place of SESSION.USERID.

The overall aim is to build 2 UDFs to do all the work and make it nice and reusable and cut down on duplicate code.

Problems with the solution:

One thing you may have asked yourself is what if someone tacks on another variable name/pair value? Will the whole thing be bypassed? Yes and No.
Not only are you masking the variables, your also masking the way your app is working so on the receiving end you could check to see if the first element of the new URL structs value is blank, then ignore the rest of the vars in the struct. This though assumes that you are always using this encoding method in your URLS and that the first element will always be an encrypted string.

One interesting thing of note:

ColdFusion has 2 inbuilt and not widely documented functions called cfusion_encrypt() and cfusion_decrypt() which are exactly the same as encrypt() and decrypt() except that the encoded string they produce is alphanumeric as opposed to all ASCII chars of the latter functions. This makes them perfect for what I need as we are passing and dealing with URL variables.

Download the example files as a ZIP file

I'd love to hear other peoples views and ideas on it, so drop me an email, skype me or simply comment :-)

My ColdFusion blog is slowly gaining a bit of traction and I should really post more than I have been but as its in a number of Aggregators I try and keep the content CF related. I recently seperated my Blog into 2 sections, the main ColdFusion and programming blog and http://personal.cfdan.com for anything else.

As my main blog is ColdFusion focused and I have a big interest in Google as a company, I decided I would place a few AdSense adverts on the top of the site to see how they would get on and to see what all the talk was about people making decent money from their blogs. I am currently re-reading The Google Story and in particular the section about their advertising network so I reckoned I might aswell test it out.

My blog currently has about 80 people per day visiting and I am not sure what the total RSS subscriber amount is so by no means is it a very busy site. Still though, the site has earned a whopping $X.XX (Removed to abide by Google TOS) from the adverts. This is from 14,400 impressions and 7 (yes seven!) clicks!!

I am now beginning to see how an extremely busy site can start to generate good money. I have seen some fairly cunning tricks people use to integrate the adverts into their site to entice people to click.

My favourite is Diggs implementation of the adverts. The Ads By Google link is next to the ads but out of direct eye view. Clever....

EDITED 26/08/2006:
It turns out I cant disclose the earnings according to the Google TOS so had to remove it :-(

I never really got into DIGG but when I saw the effect it had on my blog and all the spin off effects, I was addicted! 4500 people visited my blog on Friday - This is an average increase of 4450 people over normal days! Then people started linking to it from their own blogs - More traffic!! People posted the link to del.icio.us and I made the front page of that too!

I am literally over-the-moon with the effect Pandoras Box on Digg has had but with over 70 emails and a shed-load of comments, I had my work cut out today!

I made the app for my own use and decided I might aswell chuck it on my blog to download and got a bit lazy with the features. Lots of people love it for its simplicity but alot more asked for some extra features. I literally spent hours upon hours researching Javascrip and Flash integration, reading hundreds of pages on Windows APIs, Web Browser control, various DOMs and the official Pandora Event Notification Object.

There were 3 main things I wanted to fix, add :

• Some people got an annoying "Object Required" popup. This was my bloody fault and I missed a debug setting when I packaged it up. This has been resolved!
• The current playing song and artist is now displayed on the form caption and the tray control tooltip. This took a while and required a nice hack :-)
• I wanted voting from the tasktray icon. I tried everything. If you saw the hacks I tried to implement to get this functionality, you would laugh! - I have not been successful so far!

Lots of people wanted the source code for the application and a technical overview on how it works. I am going to post both these soon.

The main problem with the voting from the tasktray icon is that I really have ZERO control over Pandoras flash object. They dont expose any functions I can hook into so everything is done with a hack. I got so far at one stage. I found out there are 2 keyboard shortcuts in Pandora itself PLUS and MINUS to vote Positive and Negative respectively. My idea was to focus the WebBrowser control and then use the Windows API or SendKeys function to simulate a keyPress on the focused flash object. No matter what I did I couldnt get it to hook and this also required the window to be focused so the tray hiding was making this null and void. Ah well, hopefully Pandora will release some sort of API and I will work my bollox off to include everything everyone asked for!

Anyway, enough with the waffle, I have uploaded the latest setup.exe file which has the improvements in it.

Click To Download

Upgrading Old Version
To be safe, I would recommend you uninstall the old version before installing the updated app. Also, make sure you close the old app before you uninstall/re-install :-) If your in a rush, belt ahead and install over the old app and click IGNORE on the install screen for any alerts....

I love listening to music while programming, sometimes I'm in the mood for Faithless, then some Prodigy and lately a bit of Johnny Cash. The problem is I have exhausted my supply of tracks so rely on Pandora - Genome Music Project to find me similar music I may never pick up in the shops!

The problem I found with Pandora is that even with a minimal window, it meant there was another Internet Explorer / Firefox window open cluttering up my screen and I accidently either close the browser or refresh the window! I always thought it would be cool to have it run in the tasktray like Winamp and so took an hour off this evening to develop what I am calling Pandoras Box

The basics are a WebBrowser Control hosted in an application with the ability to minimise to the system tray. You can double click the tray icon to bring the app back up. Additional features include an always-on-top option, sub-classing of the main app so only one instance launches, and the removal of junk around the player window.

 

DOWNLOAD VERSION 1 NOW

 

Anyway, as this is not endorsed by Pandora but may be useful to people and may attract more people to support Pandora, I better put some little disclaimer, so here goes :

Pandoras box is NOT endorsed, developed, supported etc by Pandora Genome Music Project. They probably wont even know about it or want to. I will answer suggestions and bug reports and will fix them in my own time but I do not claim responsibility for misuse of this application etc etc

Requirements:
This will run on most Windows machines and was explicitly tested and developed on WindowsXP with IE6.

You can find out all about the latest updates to Pandora's Box here :

Pandoras Box Updates - September 19th 2006

Thank you to everyone who contributed comments, suggestions and encouragement. As always donated beer money goes along way to encourage development so if you like and use Pandoras Box, please consider clicking the donate button :-)

Apple’s WebKit (the rendering component powering the Safari web browser) has been ported to Windows, complete with a browser called Swift.

We dont have a Mac with OSX in the office and there are many times I would like to test my Web Apps on Safari so I was delighted to find this little golden nugget:

http://www.getwebkit.org/

Downloading and installing now and I'll update with my experiences....