Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training.

Published byLoraine Reynolds Modified over 9 years ago

Similar presentations

Presentation on theme: "Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training."— Presentation transcript:

1 Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training. http://www.teratech.com 800-447-9120 Presentation copyright TeraTech 2002

2 TeraTech http://www.teratech.com Speaker Information Who am I? n Michael Smith n President of TeraTech, Inc Rockville MD u http://www.teratech.com/ http://www.teratech.com/ u ttWebReportServer, CFXGraphicserver n MDCFUG, CFUN-02, Fusebox Conf n Articles in CFDJ, Fusion Authority n CF_Underground IV Oct 27th u http://www.cfconf.org/cf_underground4/

3 TeraTech http://www.teratech.com Overview n What is Application.cfm n Directory rules n Error handler n Application, Session and Client variables n Logon and Members only n Application Setup n Security

4 TeraTech http://www.teratech.com What is Application.cfm n Regular CFM file that is included ONCE at beginning of every request. n Spelt Application.cfm (capital A for Unix) n You could just do a CFINCLUDE at beginning of every template. u Saves coding time

5 TeraTech http://www.teratech.com Directory Rules n CF will search for Application.cfm starting in current directory of request template. n Moves up directory tree to system root (eg C:/) until it finds one. n Even if you don’t want to use Application.cfm feature have a blank one to save processing time.

6 TeraTech http://www.teratech.com OnRequestEnd.cfm n OnRequestEnd.cfm is run at end of page request. n Opposite of Application.cfm n Must be in same directory as Application.cfm n Not run after CFABORT

7 TeraTech http://www.teratech.com Traps n Can not span tags between Application.cfm and OnRequestEnd.cfm

8 TeraTech http://www.teratech.com Error handling n Always have an error handler in Application.cfm – CFERROR tag n Never display default CF errors - gives out SQL information and template paths n Instead email error to admin n Don’t explain why attempt failed n Can turn off for development IPs

9 TeraTech http://www.teratech.com Error handling code In Application.cfm: In error_exception.cfm <CFMAIL to="#error.MailTo#" from="info@teratech.com" subject="ColdFusion Error"> #error.RemoteAddress# #error.Template# #error.DateTime# #error.Diagnostics#

10 TeraTech http://www.teratech.com Application variables n Global across pages n Setup using CFAPPLICATION tag n Use as application.variablename u Lock your usage u Beware max timeout in CF Admin

11 TeraTech http://www.teratech.com Session variables n Persistent between pages for ONE user. Use CFAPPLICATION tag: n Use as session.variablename u Lock your usage u Beware max timeout in CF Admin

12 TeraTech http://www.teratech.com Client variables n Persistent between pages for ONE user. In Application.cfm n Use as client.variablename n Use client variables in place of session variables to avoid locking in CF 5. n Store in a DB, NOT the registry n Use WDDX for a complex variables n Timeout set in CF Admin - Manually test for less than 2 hours

13 TeraTech http://www.teratech.com Timeouts

14 TeraTech http://www.teratech.com Members only n Want to protect subdirectories for members only n Check CGI.script_name for directory n Check if user is logged on using client variable n Might also check roles in more complex system.

15 TeraTech http://www.teratech.com Members Only Code

16 TeraTech http://www.teratech.com Application Setup n Set request variables for dsn, webroot constants. n Request doesn’t need locking. n Have different versions for development, staging and production servers

17 TeraTech http://www.teratech.com Application Setup code

18 TeraTech http://www.teratech.com … More Setup code

19 TeraTech http://www.teratech.com Caching Data n Store application wide data in memory in application varialbes n Must lock write and reads n Check to see if exists before creating n Query caching is easier to code

20 TeraTech http://www.teratech.com Caching Data code SQL…

21 TeraTech http://www.teratech.com Copy Session to Request n Session variables require locking, request do not n Copy session structure to a structure in request scope in application.cfm n Use request variables in code n Update any that are changed n See article How to sidestep locking on MDCFUG www.cfug-md.orgwww.cfug-md.org /Articles/ RequestVariables.cfm

22 TeraTech http://www.teratech.com Authentication n Stateless web - any page can call another - this is good for open sites n Hacker pages call your page with false data n Use CGI. HTTP_REFERER to control who calls you n Use CGI. CF_TEMPLATE_PATH application.cfm control what is run. Warning - Can be spoofed by browser

23 TeraTech http://www.teratech.com Fake form submits n Hacker uses View Source in browser to save your HTML source to their machine n Edits form fields and form action URL and submits to your action page. n Can now change what record is edited or remove fields to generate errors n Can also remove any client side validation including _required fields and JavaScript from CFFORM.

24 TeraTech http://www.teratech.com Preventing Fake form submits To prevent fake form submits n Check HTTP_REFERER is in your domain

25 TeraTech http://www.teratech.com Encrypt URLs n One way to protect URLs is to encrypt them on all links, form submits and JavaScript submits. n Use URLEncrypt() and URLDecrypt() functions from CFLib project u http://www.cflib.org/ http://www.cflib.org/ n Can decrypt in Application.cfm

26 TeraTech http://www.teratech.com SQL hacking n URL and Form parameters used in SQL u SELECT * FROM EMP WHERE ID = #USERID# u Extra SQL commands on SQL Server http://myserver/page.cfm?ID_VAR=7%3BDELETE%2 0FROM%20MyCustomerTable u | VBA functions - shell() on Access u xp_cmdshell in SQL Server

27 TeraTech http://www.teratech.com SQL hacking prevention n use on all SQL parameters n check for ‘ and | etc in form and url variables in Application.cfm n Encrypt URL Variables

28 TeraTech http://www.teratech.com Protect CFINCLUDE and CFMODULE files n Don’t let CFINCLUDE and CFMODULE files be run standalone – they may do bad things or generate error messages n Protect using a naming convention/ subdirectory and test in application.cfm of CGI.script_name n Especially important for Fusebox applications with many include files

29 TeraTech http://www.teratech.com Code to protect CFINCLUDE files n For Fusebox In Application.cfm: n Non-Fusebox – check filename/directory

30 TeraTech http://www.teratech.com Subnet Auto- Authentication In your application.cfm or header.cfm to be included in every page. Your protected links here Warning - spoofed IP numbers will get around this code

31 TeraTech http://www.teratech.com Custom Debug info n Variable and structure dump in OnRequestEnd.cfm u Use CF_Dump or CF5 CFDump tags to output all session variables or all cookies, etc. http://www.smart- objects.com/docs.cfm?f=cf_dump.htm

32 TeraTech http://www.teratech.com Session Tracking n Who is logged on now u Keep track of login times to see who’s logged in now, can record activity and determine based on last activity or logoff option u Add userid and session info to a structure in application variable.

33 TeraTech http://www.teratech.com Back button hacking n Hacker uses back button to view sensitive information from a users browser n Consider disabling back button, especially on logout

34 TeraTech http://www.teratech.com Datasource password n Don’t put datasource userid and password in CF Admin – if any template is compromised hacker can destroy data n Don’t hardcode in every CFQUERY call n Use request variables in application.cfm and encrypt it

35 TeraTech http://www.teratech.com Questions n Questions? Email me at michael@teratech.com michael@teratech.com

Download ppt "Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training."

Similar presentations

Not like the State of Virginia. What is State in ASP.NET? Services (like web services) are Stateless. This means if you make a second request to a server,

Not like the State of Virginia. What is State in ASP.NET? Services (like web services) are Stateless. This means if you make a second request to a server,
CIS 451: ASP Sessions and Applications Dr. Ralph D. Westfall January, 2009.

CIS 451: ASP Sessions and Applications Dr. Ralph D. Westfall January, 2009.
ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training. 800-447-9120.

ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training
ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training. 800-447-9120.

ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.
Database Updates Made Easy In WebFocus Using SQL And HTML Painter Sept 2011 Lender Processing Services 1.

Database Updates Made Easy In WebFocus Using SQL And HTML Painter Sept 2011 Lender Processing Services 1.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.

By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.
The Art of Debugging Shlomy Gantz 02/13/01MDCFUG.

The Art of Debugging Shlomy Gantz 02/13/01MDCFUG.
1/20 1 How to become a Guru Coder Michael Smith, TeraTech, Inc. 301-424-3903 x110 Copyright.

1/20 1 How to become a Guru Coder Michael Smith, TeraTech, Inc x110 Copyright.
Exception Handling MDCFUG 6/12/2007 David Lakein Programmer / Analyst TeraTech Inc.

Exception Handling MDCFUG 6/12/2007 David Lakein Programmer / Analyst TeraTech Inc.

Similar presentations

Ads by Google