Archive for the ‘Security’ Category

Using Coldfusion to specify which pages to run under an SSL

Sunday, April 25th, 2010

I recently had a site that ran under an SSL certificate. As this was the case each page of the site ran under the ‘https://’ protocol. A few weeks ago the client noticed that when run in Internet Explorer they were receiving a message stating that not all of the data was being passed via the SSL. It would ask if the user wished to load in the insecure data as well as the secure. If the user chose yes everything loaded as normal. If they chose no everything except AJAX data would load onto the page.

While this makes sense I’m not sure why it just started happening. Nonetheless, I noted that it was not necessary to run the entire site under the SSL. Since I, of course, do not use AJAX anywhere in the checkout process, I decided that the simple solution was to run the SSL only under the checkout. This would allow the rest of the site to run under the ‘http://’ protocol without any security prompts concerning AJAX from Internet Explorer. So let’s take a look at how to run the SSL under only select pages in your site.

<!--- ***************  MAKE SURE THE SSL IS IN PLACE  *************** --->
<cfset var storepath = "http://www.yourdomain.com/checkout/">
<cfset var url = "http://" & CGI.HTTP_HOST & CGI.SCRIPT_NAME>
<cfset var isinstore = findNoCase(storepath, url)>

<!--- IF FOUND CHANGE TO SECURE PROTOCOL --->
<cfif isinstore neq 0 AND CGI.SERVER_PORT neq "443">
	<!--- SET TO SECURE PROTOCOL --->
	<cfset url = "https://" & CGI.HTTP_HOST & CGI.SCRIPT_NAME>

	<!--- SET QUERY STRING IF NECESSARY --->
	<cfif CGI.QUERY_STRING neq "">
		<cfset url = url & "?" & CGI.QUERY_STRING>
	</cfif>

	<!--- REDIRECT USER --->
	<cflocation url="#url#" addtoken="false">
</cfif>

This snippet of code is run under the onRequestStart() method in the Application.cfc. This allows the program to check the url with each request that is made. Some pre-planning is required to choose where the SSL is run without just doing a page by page check. In this case we have made sure that we have placed all of our secure pages under a single directory. In this case we are wanting to secure our ‘checkout’ directory. If we are under this directory we also want to make sure that we are not running on the secure port 443. If not we can take the current url, run the secure protocol at the beginning, attach the query string if necessary, and then redirect the user to the secure page.

With each request Coldfusion checks if the page falls under the ‘checkout’ directory and if so it redirects to itself using the ‘https://’ protocol. For this protocol to work, it of course assumes that you have set up the SSL in IIS or whatever you use. I also recommend going into the site and changing any absolute paths linking to any of the pages running under your secure directory to use the secure protocol by default.

Tags: , ,
Posted in Coldfusion 8, Coldfusion 9, Security | No Comments »

Access denied for user ’someone’@'localhost’ (using password: YES)

Thursday, February 25th, 2010

If I had a nickel for every time I’ve gotten this error I’d be somewhere around 35 cents richer.  Point being this error really isn’t that big of a deal, but can certainly be somewhat annoying.  If you’re using shared web hosting and are receiving this error on your production site just call your host because there is probably nothing you can do on your end.

However, if you’re working on a VPS, dedicated server, the cloud, or any environment in which you have access to both the server and the Coldfusion Administrator then you’re in luck.  This error is usually thrown as a result of trying to access the database with a datasource set up for a user that doesn’t exist.  So if you’re using MySql on your server and you try to access it with an account that maybe exists on the local drive, but not on the server you’ll receive this error.  To test if this is the case go to the Coldfusion Administrator and verify the data source connection in question under the datasources menu.  It probably won’t verify.  At this point you will want to connect the datasource using a legitimate account or just use the ‘root’ username and no password.  This should verify the datasource and eliminate the error.

Tags: , , , ,
Posted in Coldfusion 8, Database, Debugging, SQL, Security | No Comments »

Simple URL parameter encryption

Sunday, November 22nd, 2009

If you ever find yourself needing to pass data through the url, but prefer the data to be encrypted when the data is transferred to the receiving page, and you are using Coldfusion – then you’re in luck. Let’s first look at how we would pass data through the URL using Coldfusion without any encryption. We have two pages: 1. initiateTransfer.cfm and 2. receiveTransfer.cfm. In initiate transfer we would have this code:

initiateTransfer.cfm (No Encryption)

<!— set a value to pass through the url —>
<cfset VARIABLES.name = “matthew”>

<!— create our url —>
<cfset VARIABLES.url = “receiveTransfer.cfm?name=” & VARIABLES.name>

<!— direct the user to the new page —>
<cflocation url=”#VARIABLES.url#” addtoken=”false”>

(more…)

Tags: , ,
Posted in Coldfusion 8, Security | No Comments »