Chris asks:
I am running CFM 7. I noticed that in the CFAdmin, under Schedule Task, is username and password. How do you use this? I don't want anyone to run my task only the person that knows the username and password. Thanks.
I bet you didn't realize (it's not very obvious) but there is a Help link in the upper right hand corner of the ColdFusion Administrator. It is context sensitive and provides help for the page you are currently using.
The username/password settings are only used if you are using your web server to secure the URL being used in the scheduled task. So if don't want anyone else to run the task, this is what you want to do.
By the way, I will admit to not securing my Scheduled Tasks URLs all the time, especially if the running of the event is harmless.
Archived Comments
To be specific, the user name and password are intended to be used for webserver BASIC Authenication. If the URL is protected by DIGEST or NTLM Authentication then you cannot schedule a task to call that URL (nor can you run a CFHTTP or CFINVOKE/webservice call against it if not using BASIC Auth).
Thanks for the clarification. This should probably be in the help doc, don't you think?
I'll share a practice that I've developed with my custom tasks to make sure that they're only run by authorized personnel. I insert a condition where the script only runs if requesting user-agent (UA) is 'CFSCHEDULE'. If the UA is any other value, the script runs in "test" mode, where no permanent database actions are performed and any generated emails are sent to internal staff.
You can also require that any request include a URL variable containing a specific string, such as "task.cfm?token=eG!UdswF36$". If the correct token isn't included, stop processing with cfabort.
Neither of these methods are completely failsafe (for reasons many of us know), but they're reasonably safe for my purposes-- plus, it's convenient having a test mode for the script. Ray and Steven are correct that the best method for controlling access to a task would be basic authentication.
In addition to checking the user agent as Tom does, I also only allow my sensitive scheduled tasks to be accessed from specified client IP addresses. I do this with the web server (Apache HTTPD in my case) configuration rather than CF -- multiple layers of protection - like an onion, or an ogre.
If you are really concerned about the security, I think you can you call your scheduled task via https so that anyone listening doesn't sniff out your username and password.
Yes, the clarification of which types of authentication can be handled by the username and password for scheduled tasks is poorly documented, not just in the CFAdmin, but in the CF Docs as well.
It is generally assumed that developers know that Scheduled Tasks are implemented by the same code that implements CFHTTP, and that CFHTTP documentation does have this detailed info on types of authentication.
A documentation bug for the omission already exists.
I recommend using the automation tool VisualCron instead of the built-in task scheduler.
Olav