So I know that I code with some bad habits. Some of the things that I teach people not to do still turn up in my code. So when is the correct time to break these habits? Breaking habits takes time. Time is money so when money is low it leads us to believe this is not the time to break the bad habits. However, if we can strive to break one or two as we go its better than not trying at all.
It is time to review my authentication method for securing my websites as I move into the login process of my overseas project. I anticipate that I will find that my methods are still up-to-date and secure. Macromedia provides a good read on the topic with “Building Secure Applications with ColdFusion MX 6.1”.
Ah! “In ColdFusion 5 and earlier, the application developer would write all of the code necessary to manage whether or not a user is logged in, validate a userâ€™s identity and credentials against an authorization store, and so forth. In ColdFusion MX, a framework of tags and functions are provided to handle much of the authentication tasks” Sure enough… My techniques are out of date.
This is key! With web server authentication if not using SSL then the username and password are sent as a “base64-encoded string with each request” so without SSL the web server authentication is very weak.
Hmm. That article turned out to be a bit of a let down. In summary, it was a configuration document for configuring RDS on a CFMX box. The only other insigth was that MM has provided builtin tags to replace all the hard work I did on my authentication scripts and roles based security custom tags. So much for all my cool points. See: cflogin, cfloginuser, cflogout, GetAuthUser, IsUserInRole, and the docs on Securing Applications.