We are working on a project at the moment that requires secure RSS feeds. We need it to be secure in both browsers and Feed readers such as FeedDemon so decided that Basic HTTP Authentication was the best way forward.
The snippet of code below demonstrates how to force the user agent (browser/feed reader) to prompt for a username and password which in turn ties into our existing users table without messing around with IIS permissions and users etc
<cfset REQUEST.userAuthenticated = false> <cflogin> <cfif isDefined("CFLOGIN")> <cfquery name="checkUser" datasource="myDatasource"> SELECT u.userId FROM users AS u WHERE u.userName = <cfqueryparam value="#CFLOGIN.name#"> AND u.password = <cfqueryparam value="#CFLOGIN.password#"> </cfquery> <cfif checkUser.recordcount NEQ 0> <cfset REQUEST.userAuthenticated = true> </cfif> </cfif> </cflogin> <cfif NOT REQUEST.userAuthenticated> <cfheader statuscode="401"> <cfheader name="WWW-Authenticate" value="Basic realm=""My RSS Feed"""> <cfabort> <cfelse> <!----------- Continue With RSS output -------------------> Output your RSS Code Here </cfif>
One small sticking problem which took some time to figure out:
On my local development server, the above worked perfectly. When I uploaded it to the production server running Windows Server 2003 Web Edition, the authentication popped up but kept popping up no matter what was entered in the username and password fields. The Realm header text was also not the one entered in the code above. After alot of digging it turned out to be a simple option on IIS that needed to be turned off.
The option to turn off is Directory Security -> Annonymous Access and Authentication Control - Edit - Integrated Windows Authentication
Once you disable Integrated Windows Authentication the whole thing works like a dream!
Not only is this a good way of securing your RSS feeds, its also perfect for Web Services or even securing your whole application. The draw back is that you cant style the login form as it uses the built in browser dialog.