Dan Mackey On ColdFusion Development

ColdFusion, Java, .NET, AJAX, DHTML development and general programming. Daniel is owner and Administrator of CFTagStore.com and works for an Application Development Company in Ireland called Digital Crew. His interests cover all areas of programming in multiple languages with a particular interest in Internet Technologies.

All Articles tagged : Proof-Of-Concept
2006-08-30 11:23:00.0

Securing your applications URL variables

On my current project, security is top priority. The application is working with sensitive financial data so I really have to lock things down. Like most of my solutions ideas, this idea spawned while in the shower and thinking of how I was going to secure my URL variables.

To give a bit of background on the problem:

The framework we are using is our in-house application framework powered by ColdFusion which we have improved over the last 5 or 6 years. The security lies in the actual framework but my project uses quite a bit of AJAX so my ajax calls need to be secured in someway. Why not use the existing framework security I hear you cry? Well I do...to a point. But this is more of an extension to it. Typically an ajax call is done via URL GET and normally to a small action file. This call could easily be called and modified by an unscrupulous person as the main framework security is sometimes bypassed.

The solution:

In my application I have users logged in and I hold their userId in the session variable session.userId

My url would typically look like:

The problem with this is that on the EditTimeSheet page you must in someway check that the user calling the url is valid and that the timeSheetId passed is actually the intended record.

Knowing that I am storing the current users ID in session.userId I reckoned I could use this variable to encode the URL and decode it automatically on the receiving end, again using the users session.userId as the decoding key.

When this link is now click on in the browser, it looks like:

The next thing we have to do is write some code to decrypt this URL on the receiving end. This is the code that does it:

What this code does is check to see if only one URL var is passed. Then it checks to see if has a & or a =. It then attempts to decrypt it using the session.userId and recreates the ColdFusion structure URL[]

In a simple example of the output, have a look at the screen below:

Now, the above is a simple example of the whole concept and I have hard coded USERID in place of SESSION.USERID.

The overall aim is to build 2 UDFs to do all the work and make it nice and reusable and cut down on duplicate code.

Problems with the solution:

One thing you may have asked yourself is what if someone tacks on another variable name/pair value? Will the whole thing be bypassed? Yes and No.
Not only are you masking the variables, your also masking the way your app is working so on the receiving end you could check to see if the first element of the new URL structs value is blank, then ignore the rest of the vars in the struct. This though assumes that you are always using this encoding method in your URLS and that the first element will always be an encrypted string.

One interesting thing of note:

ColdFusion has 2 inbuilt and not widely documented functions called cfusion_encrypt() and cfusion_decrypt() which are exactly the same as encrypt() and decrypt() except that the encoded string they produce is alphanumeric as opposed to all ASCII chars of the latter functions. This makes them perfect for what I need as we are passing and dealing with URL variables.

Download the example files as a ZIP file

I'd love to hear other peoples views and ideas on it, so drop me an email, skype me or simply comment :-)

Add to your del.icio.us    DIGG This!    Technorati Cosmos Link    Post to Reddit    Add to your Furl    Add to Blinklist
Comments [8] - Leave a comment
2006-07-29 12:38:00.0

ColdFusion And AJAX Organizational Chart - Beta

About 2 weeks ago before I started my , I worked on a quick proof-of-concept ColdFusion and Ajax enabled Organizational Chart widget.

My main aim was to create a widget that would render in modern browsers and would allow the adding of nodes to the chart using AJAX so the whole page didnt have to be reloaded.

I faced some interesting problems:

  • I wanted to use pure CSS and DIVs but soon found out this was impossible for the moment so had to settle for a mix of CSS and normal TABLE elements.
  • The logic in finding the current parent to append new elements to needed quite a bit of thought to work on all browsers.
  • Deleting nodes a few levels up had to take sub-nodes into consideration.
  • The user-interface had to be very simple and in context with each node.

I decided on the following:

  • I created a custom tag which runs using recursion. This allows the whole chart to be generated using one line of code and you can choose which node to start rendering from.
  • Because the chart is built using a recursive custom tag and I can choose any start node, implementing the AJAX was easy, easy easy.... All I have to do when an add node icon is clicked, the parent node id is passed using AJAX and the custom tag is called with a start ID of the passed parent and the returned HTML is rendered without reloading the page.
  • I used the extremely handy CFSAVECONTENT to render the HTML from the custom tag and simply return the resultant variable. This made the code really easy, flexible and readable.

The main way to use the tag is:

  • To create a node, you click the Add Node icon from the parent node.
  • To edit a node, you double-click an existing node.
  • To delete a node, you click the Delete Node icon on the node to be deleted.

The editing of nodes is not complete. I envisage this to dynamically create a text area in the node and update the TEXT of the node on the fly using . Another option in the future would be to pop-up a menu that allows you to change the TYPE of node.

Things I would like to see added:

  • Panning of a VIEW area for large charts
  • Ability to change each nodes type
  • Add the ability to render each node with rounded corners using the brilliant NiftyCude library.
  • Ability to export the chart in a variety of formats : graphics or PDF

The funny thing is, I developed this 2 weeks ago on one of my 3 hour after-work learning stints where I generally read new things through blogs or try proof-of-concept ideas that may help in future projects. About 2 days ago, I got an email from someone through who had an idea for a CFOrgChart type tag/application with the same ideas I had planned.

Funny how things happen...

Now the fun part...try the demo : demos/cforgchart/index.cfm

PS: Please use with care and dont ruin it for other people by deleting all nodes. This is only a demo and I havent performed any checking or locking of nodes yet.

PPS: Can someone (Karl :-) ) check this on Safari and report back?

Add to your del.icio.us    DIGG This!    Technorati Cosmos Link    Post to Reddit    Add to your Furl    Add to Blinklist
Comments [12] - Leave a comment