Dan Mackey On ColdFusion Development

ColdFusion, Java, .NET, AJAX, DHTML development and general programming. Daniel is owner and Administrator of CFTagStore.com and works for an Application Development Company in Ireland called Digital Crew. His interests cover all areas of programming in multiple languages with a particular interest in Internet Technologies.

All Articles tagged : IIS
2007-08-02 17:35:00.0

Securing Your RSS Feeds Using Basic HTTP Authentication and ColdFusion

We are working on a project at the moment that requires secure RSS feeds. We need it to be secure in both browsers and Feed readers such as FeedDemon so decided that Basic HTTP Authentication was the best way forward.

The snippet of code below demonstrates how to force the user agent (browser/feed reader) to prompt for a username and password which in turn ties into our existing users table without messing around with IIS permissions and users etc

<cfset REQUEST.userAuthenticated = false>
 
<cflogin>
    <cfif isDefined("CFLOGIN")>	
	<cfquery name="checkUser" datasource="myDatasource">
	SELECT	u.userId
	FROM	users AS u
	WHERE	u.userName = <cfqueryparam value="#CFLOGIN.name#">
	    AND u.password = <cfqueryparam value="#CFLOGIN.password#">
	</cfquery>
	
	<cfif checkUser.recordcount NEQ 0>
		<cfset REQUEST.userAuthenticated = true> 
	</cfif>
   </cfif>
</cflogin>

<cfif NOT REQUEST.userAuthenticated>
   <cfheader statuscode="401">
   <cfheader name="WWW-Authenticate" value="Basic realm=""My RSS Feed""">
   <cfabort>
<cfelse>	
	<!----------- Continue With RSS output ------------------->
	Output your RSS Code Here
</cfif>

One small sticking problem which took some time to figure out:

On my local development server, the above worked perfectly. When I uploaded it to the production server running Windows Server 2003 Web Edition, the authentication popped up but kept popping up no matter what was entered in the username and password fields. The Realm header text was also not the one entered in the code above. After alot of digging it turned out to be a simple option on IIS that needed to be turned off.

The option to turn off is Directory Security -> Annonymous Access and Authentication Control - Edit - Integrated Windows Authentication

Once you disable Integrated Windows Authentication the whole thing works like a dream!

Not only is this a good way of securing your RSS feeds, its also perfect for Web Services or even securing your whole application. The draw back is that you cant style the login form as it uses the built in browser dialog.

Tags: ColdFusion | IIS | RSS | Security | Tips | WebDev
Add to your del.icio.us    DIGG This!    Technorati Cosmos Link    Post to Reddit    Add to your Furl    Add to Blinklist
Comments [1] - Leave a comment
2007-06-29 10:00:00.0

Setting IIS Maximum Connections To More Than 10

Every project I am working on, I test against 5 different browsers: Safari, Mozilla, IE7, Opera and IE6 on the same machine. Since Safari has entered the browser lineup, I have been receiving an annoying "HTTP 403.9 - Access Forbidden: Too many users are connected" message.

To solve this issue, do the following:

  1. Download the Administrative Plugin MetaEdit from Microsoft : http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B301386
  2. Install Application (Comes with old files so skip these in the installation)
  3. Go to Administrative Tool in Control Panel and launch MetaEdit 2.2
  4. Navigate to the key LM/W3WSVC/MaxConnections
  5. Change the value from 10 to the number of connections you need. I chose : 2000000000 to be extra safe ;-)

This will work on:

  • Microsoft Internet Information Server 5.1 on Windows XP Professional
  • Microsoft Internet Information Server 4.0, when used with:
    Microsoft Windows NT 4.0
    Microsoft Windows 2000 Standard Edition
  • Microsoft Internet Information Services 5.0, when used with:
    Microsoft Windows NT 4.0
    Microsoft Windows 2000 Standard Edition
Add to your del.icio.us    DIGG This!    Technorati Cosmos Link    Post to Reddit    Add to your Furl    Add to Blinklist
Comments [3] - Leave a comment