Application cf m tips and Tricks Michael Smith

Application. cf m tips and Tricks Michael Smith President Tera. Tech, Inc Cold. Fusion, database & VB custom development and training. http: //www. teratech. com 800 -447 -9120 Presentation copyright Tera. Tech 2002

Speaker Information Who am I? n Michael Smith n President of Tera. Tech, Inc Rockville MD http: //www. teratech. com/ u tt. Web. Report. Server, CFXGraphicserver u n n n MDCFUG, CFUN-02, Fusebox Conf Articles in CFDJ, Fusion Authority CF_Underground IV Oct 27 th u Tera. Tech http: //www. teratech. com http: //www. cfconf. org/cf_underground 4/

Overview n n n n Tera. Tech http: //www. teratech. com What is Application. cfm Directory rules Error handler Application, Session and Client variables Logon and Members only Application Setup Security

What is Application. cfm n n n Regular CFM file that is included ONCE at beginning of every request. Spelt Application. cfm (capital A for Unix) You could just do a CFINCLUDE at beginning of every template. u Saves Tera. Tech http: //www. teratech. com coding time

Directory Rules n n n Tera. Tech http: //www. teratech. com CF will search for Application. cfm starting in current directory of request template. Moves up directory tree to system root (eg C: /) until it finds one. Even if you don’t want to use Application. cfm feature have a blank one to save processing time.

On. Request. End. cfm n n Tera. Tech http: //www. teratech. com On. Request. End. cfm is run at end of page request. Opposite of Application. cfm Must be in same directory as Application. cfm Not run after CFABORT

Traps n Tera. Tech http: //www. teratech. com Can not span tags between Application. cfm and On. Request. End. cfm

Error handling n n n Always have an error handler in Application. cfm – CFERROR tag Never display default CF errors gives out SQL information and template paths Instead email error to admin Don’t explain why attempt failed Can turn off for development IPs

Error handling code Tera. Tech http: //www. teratech. com In Application. cfm: <cferror type="EXCEPTION" template="error_exception. cfm" mailto=“michael@teratrech, . com"> In error_exception. cfm <CFMAIL to="#error. Mail. To#" from="info@teratech. com" subject="Cold. Fusion Error"> #error. Remote. Address# #error. Template# #error. Date. Time# #error. Diagnostics# </CFMAIL>

Application variables Global across pages n Setup using CFAPPLICATION tag <CFAPPLICATION name="cfclass" applicationtimeout="#createtimesp an(1, 0, 0, 0)#"> n Use as application. variablename n u Lock your usage <CFLOCK scope=“Application”> u Beware max timeout in CF Admin Tera. Tech http: //www. teratech. com

Session variables Persistent between pages for ONE user. Use CFAPPLICATION tag: <CFAPPLICATION name="cfclass" sessionmanagement="yes" sessiontimeout="#createtimespan(0, 0, 10 , 0)#"> n Use as session. variablename n Lock your usage <CFLOCK scope=“Session”> u Beware max timeout in CF Admin u Tera. Tech http: //www. teratech. com

Client variables Persistent between pages for ONE user. In Application. cfm <CFAPPLICATION name="cfclass" clientmanagement="yes“> n Use as client. variablename n Use client variables in place of session variables to avoid locking in CF 5. n Store in a DB, NOT the registry n Use WDDX for a complex variables n Timeout set in CF Admin - Manually test for less than 2 hours n Tera. Tech http: //www. teratech. com

Timeouts <!--- Roll your own timeout code. This example times out session after 5 minutes ---> <CFPARAM name=“client. last_access" default="#now()#"> <CFIF Date. Diff("n", client. last_access, now()) gt 5> <CFLOCATION url="/logon. cfm"> </CFIF> <CFSET client. last_access = now()> Tera. Tech http: //www. teratech. com

Members only n n Tera. Tech http: //www. teratech. com Want to protect subdirectories for members only Check CGI. script_name for directory Check if user is logged on using client variable Might also check roles in more complex system.

Members Only Code <CFPARAM name=“client. username" default=""> <CFIF CGI. script_name contains "/private/"> <CFIF client. username is ""> <CFLOCATION url="/logon. cfm"> </CFIF> Tera. Tech http: //www. teratech. com

Application Setup n n n Tera. Tech http: //www. teratech. com Set request variables for dsn, webroot constants. Request doesn’t need locking. Have different versions for development, staging and production servers

Application Setup code <CFSET request. Installation. Location = CGI. SERVER_NAME> <CFIF request. Installation. Location EQ “www. myserver. com"> <CFSET request. dsn = “Mysite"> <CFSET request. urlhome = "http: //#request. Installation. Location#/ad min"> <CFSET request. Rootpath ="/admin"> Tera. Tech http: //www. teratech. com

… More Setup code <CFELSEIF request. installationlocation EQ "www. teratech. com"> <CFSET request. dsn = “Dev_Mysite"> <CFSET request. urlhome = "http: //#request. Installation. Location#/proj ects/mysite/admin"> <CFSET request. Rootpath ="/projects/mysite/admin"> </CFIF> Tera. Tech http: //www. teratech. com

Caching Data n n Tera. Tech http: //www. teratech. com Store application wide data in memory in application varialbes Must lock write and reads Check to see if exists before creating Query caching is easier to code

Caching Data code <CFLOCK…> <CFIF not isdefined(“application. myquery”> <CFQUERY datasource=“#request. dsn#" name=“application. myquery“> SQL… </CFQUERY> </CFIF> Tera. Tech http: //www. teratech. com

Copy Session to Request Session variables require locking, request do not n Copy session structure to a structure in request scope in application. cfm n Use request variables in code n Update any that are changed n See article How to sidestep locking on MDCFUG www. cfug-md. org /Articles/ Request. Variables. cfm n Tera. Tech http: //www. teratech. com

Authentication n Warning Can be spoofed by browser n n n Stateless web - any page can call another - this is good for open sites Hacker pages call your page with false data Use CGI. HTTP_REFERER to control who calls you Use CGI. CF_TEMPLATE_PATH application. cfm control what is run.

Fake form submits n n Tera. Tech http: //www. teratech. com Hacker uses View Source in browser to save your HTML source to their machine Edits form fields and form action URL and submits to your action page. Can now change what record is edited or remove fields to generate errors Can also remove any client side validation including _required fields and Java. Script from CFFORM.

Preventing Fake form submits To prevent fake form submits n Check HTTP_REFERER is in your domain <CFIF CGI. HTTP_REFERER contains “http: //www. mysite. com"> <CFELSE> <CFABORT> </CFIF> Tera. Tech http: //www. teratech. com

Encrypt URLs n n One way to protect URLs is to encrypt them on all links, form submits and Java. Script submits. Use URLEncrypt() and URLDecrypt() functions from CFLib project u http: //www. cflib. org/ n Tera. Tech http: //www. teratech. com Can decrypt in Application. cfm

SQL hacking n URL and Form parameters used in SQL u SELECT * FROM EMP WHERE ID = #USERID# u Extra SQL commands on SQL Server http: //myserver/page. cfm? ID_VAR=7%3 BDELETE%2 0 FROM%20 My. Customer. Table u| VBA functions - shell() on Access u xp_cmdshell in SQL Server

SQL hacking prevention n use <CFQUERYPARAM> on all SQL parameters check for ‘ and | etc in form and url variables in Application. cfm Encrypt URL Variables

Protect CFINCLUDE and CFMODULE files n n n Tera. Tech http: //www. teratech. com Don’t let CFINCLUDE and CFMODULE files be run standalone – they may do bad things or generate error messages Protect using a naming convention/ subdirectory and test in application. cfm of CGI. script_name Especially important for Fusebox applications with many include files

Code to protect CFINCLUDE files For Fusebox In Application. cfm: <CFIF CGI. script_name contains “index. cfm”> <!--- ok to run ---> <CFELSE> <CFABORT SHOWERROR="Protected page"> </CFIF> n Non-Fusebox – check filename/directory n Tera. Tech http: //www. teratech. com

Subnet Auto. Authentication Warning - spoofed IP numbers will get around this code In your application. cfm or header. cfm to be included in every page. <CFIF cgi. script_name contains "/intranet/"> <cfif left(CGI. REMOTE_ADDR, 11) is not "123. 456. 789"> <cfif not isdefined("session. authorized")> <CFLOCATION URL=”http: //www. mycompany. com/logon. cfm”> <cfabort> <cfelse> <cfset session. authorized = TRUE> </cfif> Your protected links here </cfif>

Custom Debug info n Variable and structure dump in On. Request. End. cfm u Use CF_Dump or CF 5 CFDump tags to output all session variables or all cookies, etc. http: //www. smartobjects. com/docs. cfm? f=cf_dump. htm Tera. Tech http: //www. teratech. com

Session Tracking n Who is logged on now u Keep track of login times to see who’s logged in now, can record activity and determine based on last activity or logoff option u Add userid and session info to a structure in application variable. Tera. Tech http: //www. teratech. com

Back button hacking n n Hacker uses back button to view sensitive information from a users browser Consider disabling back button, especially on logout <CFHEADER NAME="Expires" VALUE="06 Nov 1994 08: 49: 37 GMT"> <CFHEADER NAME="Pragma" VALUE="nocache"> <CFHEADER NAME="cache-control" VALUE="nocache, no-store, must-revalidate"> Tera. Tech http: //www. teratech. com

Datasource password n n n Tera. Tech http: //www. teratech. com Don’t put datasource userid and password in CF Admin – if any template is compromised hacker can destroy data Don’t hardcode in every CFQUERY call Use request variables in application. cfm and encrypt it

Questions n Questions? Email me at michael@teratech. com