More on VerifyClient - ColdFusion 8 Ajax Security Feature

A couple of days ago I wrote a blog entry on ColdFusion 8's Ajax security features:

ColdFusion 8 Ajax Security Features

I did some more playing around with verifyClient and wanted to share a few interesting tidbits.

First - verifyClient runs where you put it in your file. Ok, that sounds obvious, but you want to remember to put it on top of your file. If you have...

<cfset doSomethingSecure()> <cfset verifyClient()>

Then your doSomethingSecure() will run before the security check is made. Again - this is probably obvious, but you want to keep it in mind. As an interesting example, you can try/catch the check and log non-Ajax requests:

<cfoutput>hi, #cgi.query_string#</cfoutput>

<cftry> <cfset verifyClient()> <cfcatch> <cflog file="ajaxsec" text="Requested ajax page in non ajax fashion"> <cfrethrow> </cfcatch> </cftry>

<p> got past the VC </p>

Notice the use of cfrethrow. This ensures the error gets fired again after I've done my log.

Now for the second item to note. I wanted to investigate a bit how secure the test is. The first thing I did was build a page using the code above as test.cfm. I then built test2.cfm as:

<cfdiv bind="url:test.cfm" />

I ran the code in Firefox and noted that it ran as expected. I then used Firebug to check out the HTTP request. It looked like so (I'm adding a space between the url params to help it wrap better):

http://localhost/test.cfm?_cf_containerId=cf_div1186500510058 &_cf_nodebug=true&_cf_nocache=true &_cf_clientid=143760EA10A0D8188ACF5DB88765663E &_cf_rc=0

So on a whim, I copied the URL and pasted it into a new tab. And it worked! That was surprising. I pasted the same URL into Safari and got the error I got before. I then pointed Safari at test2.cfm. I noticed that test.cfm was loaded with the same URL, but a different _cf_clientid. (There is no Firebug for Safari, so I just modified test.cfm to output the cgi.query_string.) I pasted this URL into Safari and it worked fine as well.

So the take away from this is - verifyClient will only be secure if a user does a "proper" Ajax request first. After that they can request the URL directly as long as their session is active. Considering the nature of HTTP in general I think this is fine, but wanted to be sure people were aware.

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA