A reader asks:
Ray, what's a good way to exclude pages from having Application.cfm/.cfc applied to them? Say, for a form that asks the user for an e-mail address if they forgot their password, or a form to register for a site?
So you can't tell ColdFusion to ignore an Application.cfm/cfc file. You could put your file in a subfolder and then use an empty Application.cfc/cfm. However, I'm guessing you probably don't want to do that. For example - the forgot password functionality will probably require things from your Application.cfc/cfm file. I'm also guessing that you applying security to your site that works something like this pseudo-code:
onRequestStart {
if(not logged in) {
try to log them on if possible
show login form and abort
}
}
This code basically says, if you aren't logged in, force login.cfm to load and stop everything else. This works fine - but if you want a register or "Forgot Password" type page, how do you handle it?
One way around it is to do it all in one file. That's what I do for Galleon. Galleon doesn't force you to login to browse, but you will notice on the login page that we support both logging in, registering, and retrieving a lost password. This works for Galleon since the registration is somewhat simple.
Another possibility is to modify your security a bit. Instead of - "Always go to login.cfm if not logged in", your logic could be "Always go to login.cfm if not logged in unless you are at register.cfm". This is a bit of a hack I suppose, but is safe since you are still blocking access to everything except one page.
To make that a bit more general - let's say you didn't want onRequestStart to do anything for a set of files. You could simply put them in a sub folder - add an Application.cfc that extends the parent, and write a blank onRequestStart.
As always - I open it up for alternatives. (Although I wish smart people would stop adding comments that are ten times better than mine. What's wrong with you people?? :)
Archived Comments
I handle this situation by checking for the existance of a variable called Request.RequireLogin. If this value is TRUE and the user is not already logged in, then the redirect to the login page is triggered.
I usually use CFPARAM to provide a default value for this variable. This way, I only need to give a specific value for those pages that have non-default behaviour.
IMHO this is better than maintaining a centralized list of pages that do (or do not) require the login. As long as the variable is well documented, or even better is part of a common framework used by all pages of the site, there are few maintenance headaches with this approach.
I have never really used the built in cflogin/cflogout structure on my ColdFusion applications. Instead I have a custom security/login system that relies on Session scope variables to hold the login status, user role(s) and other information. I then simply have a function on my utility component or a template I can call/include at the top of any page that needs to be secured, it checks the user's login status and roles and (if necessary) redirects them to the login page. This call/include is never placed on public information pages or utility pages such as register, request new password, etc.
I tend to use a list, because I end up having many lists for things like exclusion from verity indexing, etc. Another technique I've used thats more portable is using a naming convention. i.e. if the left character is '_' then don't do something.
So I too like the idea of checking the file name - one thing though. You always want to err on the side of securing instead of not securing. Ie, don't say, if file name has foo in it, be secure, but rather say, if file name has foo, don't be secure. Basically, make it so if you screw up, it will tend to err towards being secure.