A couple of days ago I wrote a blog entry on ColdFusion 8's Ajax security features:
ColdFusion 8 Ajax Security Features
I did some more playing around with verifyClient and wanted to share a few interesting tidbits.
First - verifyClient runs where you put it in your file. Ok, that sounds obvious, but you want to remember to put it on top of your file. If you have...
<cfset doSomethingSecure()> <cfset verifyClient()>
Then your doSomethingSecure() will run before the security check is made. Again - this is probably obvious, but you want to keep it in mind. As an interesting example, you can try/catch the check and log non-Ajax requests:
<cftry> <cfset verifyClient()> <cfcatch> <cflog file="ajaxsec" text="Requested ajax page in non ajax fashion"> <cfrethrow> </cfcatch> </cftry>
<p> got past the VC </p>
Notice the use of cfrethrow. This ensures the error gets fired again after I've done my log.
Now for the second item to note. I wanted to investigate a bit how secure the test is. The first thing I did was build a page using the code above as test.cfm. I then built test2.cfm as:
<cfdiv bind="url:test.cfm" />
I ran the code in Firefox and noted that it ran as expected. I then used Firebug to check out the HTTP request. It looked like so (I'm adding a space between the url params to help it wrap better):
http://localhost/test.cfm?_cf_containerId=cf_div1186500510058 &_cf_nodebug=true&_cf_nocache=true &_cf_clientid=143760EA10A0D8188ACF5DB88765663E &_cf_rc=0
So on a whim, I copied the URL and pasted it into a new tab. And it worked! That was surprising. I pasted the same URL into Safari and got the error I got before. I then pointed Safari at test2.cfm. I noticed that test.cfm was loaded with the same URL, but a different _cf_clientid. (There is no Firebug for Safari, so I just modified test.cfm to output the cgi.query_string.) I pasted this URL into Safari and it worked fine as well.
So the take away from this is - verifyClient will only be secure if a user does a "proper" Ajax request first. After that they can request the URL directly as long as their session is active. Considering the nature of HTTP in general I think this is fine, but wanted to be sure people were aware.