Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB...
-
Upload
loraine-reynolds -
Category
Documents
-
view
213 -
download
1
Transcript of Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB...
Application.cfm tips and Tricks
Michael Smith
President
TeraTech, Inc
ColdFusion, database & VB custom development and training.
http://www.teratech.com
800-447-9120Presentation copyright TeraTech 2002
TeraTech http://www.teratech.com
Speaker Information
Who am I? Michael Smith President of TeraTech, Inc Rockville MD
http://www.teratech.com/ ttWebReportServer, CFXGraphicserver
MDCFUG, CFUN-02, Fusebox Conf Articles in CFDJ, Fusion Authority CF_Underground IV Oct 27th
http://www.cfconf.org/cf_underground4/
TeraTech http://www.teratech.com
Overview
What is Application.cfm Directory rules Error handler Application, Session and Client
variables Logon and Members only Application Setup Security
TeraTech http://www.teratech.com
What is Application.cfm
Regular CFM file that is included ONCE at beginning of every request.
Spelt Application.cfm (capital A for Unix)
You could just do a CFINCLUDE at beginning of every template. Saves coding time
TeraTech http://www.teratech.com
Directory Rules
CF will search for Application.cfm starting in current directory of request template.
Moves up directory tree to system root (eg C:/) until it finds one.
Even if you don’t want to use Application.cfm feature have a blank one to save processing time.
TeraTech http://www.teratech.com
OnRequestEnd.cfm
OnRequestEnd.cfm is run at end of page request.
Opposite of Application.cfm Must be in same directory as
Application.cfm Not run after CFABORT
TeraTech http://www.teratech.com
Traps
Can not span tags between Application.cfm and OnRequestEnd.cfm
TeraTech http://www.teratech.com
Error handling Always have an error handler in
Application.cfm – CFERROR tag Never display default CF errors -
gives out SQL information and template paths
Instead email error to admin Don’t explain why attempt failed Can turn off for development IPs
TeraTech http://www.teratech.com
Error handling codeIn Application.cfm:<cferror type="EXCEPTION"
template="error_exception.cfm" mailto=“michael@teratrech,.com">
In error_exception.cfm<CFMAIL to="#error.MailTo#"
from="[email protected]" subject="ColdFusion Error">#error.RemoteAddress##error.Template##error.DateTime##error.Diagnostics#
</CFMAIL>
TeraTech http://www.teratech.com
Application variables
Global across pages Setup using CFAPPLICATION tag<CFAPPLICATION name="cfclass"
applicationtimeout="#createtimespan(1,0,0,0)#">
Use as application.variablename Lock your usage
<CFLOCK scope=“Application”> Beware max timeout in CF Admin
TeraTech http://www.teratech.com
Session variables
Persistent between pages for ONE user. Use CFAPPLICATION tag:
<CFAPPLICATION name="cfclass" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,10,0)#">
Use as session.variablename Lock your usage
<CFLOCK scope=“Session”> Beware max timeout in CF Admin
TeraTech http://www.teratech.com
Client variables
Persistent between pages for ONE user. In Application.cfm
<CFAPPLICATION name="cfclass" clientmanagement="yes“>
Use as client.variablename Use client variables in place of session
variables to avoid locking in CF 5. Store in a DB, NOT the registry Use WDDX for a complex variables Timeout set in CF Admin - Manually test
for less than 2 hours
TeraTech http://www.teratech.com
Timeouts
<!--- Roll your own timeout code. This example times out session after 5 minutes --->
<CFPARAM name=“client.last_access" default="#now()#">
<CFIF DateDiff("n", client.last_access, now()) gt 5>
<CFLOCATION url="/logon.cfm">
</CFIF>
<CFSET client.last_access = now()>
TeraTech http://www.teratech.com
Members only
Want to protect subdirectories for members only
Check CGI.script_name for directory
Check if user is logged on using client variable
Might also check roles in more complex system.
TeraTech http://www.teratech.com
Members Only Code
<CFPARAM name=“client.username" default=""><CFIF CGI.script_name contains "/private/"> <CFIF client.username is ""> <CFLOCATION url="/logon.cfm"></CFIF></CFIF>
TeraTech http://www.teratech.com
Application Setup
Set request variables for dsn, webroot constants.
Request doesn’t need locking. Have different versions for
development, staging and production servers
TeraTech http://www.teratech.com
Application Setup code
<CFSET request.InstallationLocation = CGI.SERVER_NAME>
<CFIF request.InstallationLocation EQ “www.myserver.com">
<CFSET request.dsn = “Mysite">
<CFSET request.urlhome = "http://#request.InstallationLocation#/admin">
<CFSET request.Rootpath ="/admin">
TeraTech http://www.teratech.com
… More Setup code
<CFELSEIF request.installationlocation EQ "www.teratech.com">
<CFSET request.dsn = “Dev_Mysite">
<CFSET request.urlhome = "http://#request.InstallationLocation#/projects/mysite/admin">
<CFSET request.Rootpath ="/projects/mysite/admin/admin">
</CFIF>
TeraTech http://www.teratech.com
Caching Data
Store application wide data in memory in application varialbes
Must lock write and reads Check to see if exists before
creating Query caching is easier to code
TeraTech http://www.teratech.com
Caching Data code
<CFLOCK…>
<CFIF not isdefined(“application.myquery”>
<CFQUERY datasource=“#request.dsn#" name=“application.myquery“>
SQL… </CFQUERY>
</CFIF>
TeraTech http://www.teratech.com
Copy Session to Request Session variables require locking,
request do not Copy session structure to a structure in
request scope in application.cfm Use request variables in code Update any that are changed See article How to sidestep locking on
MDCFUG www.cfug-md.org
/Articles/ RequestVariables.cfm
TeraTech http://www.teratech.com
Authentication Stateless web - any page can call
another - this is good for open sites Hacker pages call your page with
false data Use CGI. HTTP_REFERER to
control who calls you Use CGI. CF_TEMPLATE_PATH
application.cfm control what is run.
Warning - Can be
spoofed by browser
TeraTech http://www.teratech.com
Fake form submits
Hacker uses View Source in browser to save your HTML source to their machine
Edits form fields and form action URL and submits to your action page.
Can now change what record is edited or remove fields to generate errors
Can also remove any client side validation including _required fields and JavaScript from CFFORM.
TeraTech http://www.teratech.com
Preventing Fake form submitsTo prevent fake form submits Check HTTP_REFERER is in your
domain
<CFIF CGI.HTTP_REFERER contains “http://www.mysite.com">
<CFELSE>
<CFABORT>
</CFIF>
TeraTech http://www.teratech.com
Encrypt URLs
One way to protect URLs is to encrypt them on all links, form submits and JavaScript submits.
Use URLEncrypt() and URLDecrypt() functions from CFLib project http://www.cflib.org/
Can decrypt in Application.cfm
TeraTech http://www.teratech.com
SQL hacking URL and Form parameters used in
SQL SELECT * FROM EMP WHERE ID
= #USERID# Extra SQL commands on SQL
Serverhttp://myserver/page.cfm?ID_VAR=7%3BDELETE
%20FROM%20MyCustomerTable
| VBA functions - shell() on Access xp_cmdshell in SQL Server
The Challenge
TechnologyTechnology
TeraTech http://www.teratech.com
SQL hacking prevention use <CFQUERYPARAM> on all
SQL parameters check for ‘ and | etc in form and url
variables in Application.cfm Encrypt URL Variables
TeraTech http://www.teratech.com
Protect CFINCLUDE and CFMODULE files Don’t let CFINCLUDE and
CFMODULE files be run standalone – they may do bad things or generate error messages
Protect using a naming convention/ subdirectory and test in application.cfm of CGI.script_name
Especially important for Fusebox applications with many include files
TeraTech http://www.teratech.com
Code to protect CFINCLUDE files For Fusebox In Application.cfm:
<CFIF CGI.script_name contains “index.cfm”>
<!--- ok to run --->
<CFELSE>
<CFABORT SHOWERROR="Protected page">
</CFIF> Non-Fusebox – check filename/directory
TeraTech http://www.teratech.com
Subnet Auto-AuthenticationIn your application.cfm or header.cfm to be included in every
page.<CFIF cgi.script_name contains "/intranet/">
<cfif left(CGI.REMOTE_ADDR,11) is not "123.456.789">
<cfif not isdefined("session.authorized")>
<CFLOCATION URL=”http://www.mycompany.com/logon.cfm”>
<cfabort><cfelse>
<cfset session.authorized = TRUE>
</cfif></cfif>
Your protected links here </cfif>
Warning - spoofed IP numbers will get around this code
TeraTech http://www.teratech.com
Custom Debug info
Variable and structure dump in OnRequestEnd.cfm Use CF_Dump or CF5 CFDump
tags to output all session variables or all cookies, etc.
http://www.smart-objects.com/docs.cfm?f=cf_dump.htm
TeraTech http://www.teratech.com
Session Tracking
Who is logged on now Keep track of login times to see
who’s logged in now, can record activity and determine based on last activity or logoff option
Add userid and session info to a structure in application variable.
TeraTech http://www.teratech.com
Back button hacking
Hacker uses back button to view sensitive information from a users browser
Consider disabling back button, especially on logout
<CFHEADER NAME="Expires" VALUE="06 Nov 1994 08:49:37 GMT">
<CFHEADER NAME="Pragma" VALUE="no-cache">
<CFHEADER NAME="cache-control" VALUE="no-cache, no-store, must-revalidate">
TeraTech http://www.teratech.com
Datasource password
Don’t put datasource userid and password in CF Admin – if any template is compromised hacker can destroy data
Don’t hardcode in every CFQUERY call
Use request variables in application.cfm and encrypt it