0

I'm developing a site that will have an admin section. I've Googled this and have found conflicting information (on blogs) regarding the best way to implement this. I'm hoping that some of you SO developers will have first hand experience on this.

Is it better to have the login.cfm and login_process.cfm files within the Admin area or after authentication has been completed then route the user to the admin area? OR does it really matter? I'm leaning more towards the side of routing the user to the admin area AFTER authentication mainly just to hide the location of the admin area to people who don't have accounts to help ward off hacks.

Links supporting your answer is appreciated but not required unless I get conflicting answers. :)

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
HPWD
  • 2,232
  • 4
  • 31
  • 61
  • 1
    I always put my login files before my secured area. Its easier to manage. Then in application.cfc I can check if cgi.script_name contains '/secured/' and session.adminid is "" to make sure that a file cfm file within that whole structure is not being accessed. I've done it this way for over 10 years, no problems. – steve Mar 08 '13 at 16:20

2 Answers2

3

It doesn't matter at all security-wise where your login scripts reside.

What does matter is that you actually check to make sure the user is authenticated and authorized before granting them access to the secure scripts, and not just relying on the the fact that they won't know where the admin URLs are until they've signed in. I can't tell you how many broken sites I've seen where the admin URLs have been indexed by Google, allowing anyone to get in who stumbles upon it.

So your authentication process should have two steps.

  1. Authentication (your login.cfm and login_process.cfm scripts). This should check a users credentials and then generally set something in the user's session scope.

  2. Authorization (in your admin area). This should check to see if the user is logged in (looking at the session variable you set in step 1), and (if you're implementing role or permissions based authorization) whether the user has access to the requested resource, displaying an error or giving a redirect if they aren't.

If you're trying to protect a whole directory, it's usually easiest to implement this in an application.cfm|cfc in the admin directory (so it automatically gets invoked on all pages in that directory). If you go that route, it becomes easiest to put the login scripts outside of the protected directory so you don't end up requiring users to be logged in to get to the login script.

Michael C. O'Connor
  • 9,742
  • 3
  • 37
  • 49
  • I hadn't thought about protecting an entire directory - I really like that approach. Can you provide a link or explain how to do that? My assumption is your'd set the session variables at the application.cfm|cfc root level (via the login.cfm and login_process.cfm) and then just perform the check in the admin/Application.cfm|cfc level, right? – HPWD Mar 08 '13 at 17:23
  • Also, would I need to include the root application.cfm|cfc file in the admin\application.cfm|cfc file, too? – HPWD Mar 08 '13 at 17:28
  • I don't have a link off hand, but it should be pretty easy. In your login process, just set something persistent once the user has authenticated, for example `session.username = #username#`, and then in admin/application.cfm, add a clause like ``. You may need to include the parent if you're doing other interesting stuff there. If you're using an application.cfc, that would go in the `onRequestStart` method. – Michael C. O'Connor Mar 08 '13 at 18:30
  • Alternatively, you could put that access block in the root `application` file and wrap it in a conditional like `...` – Michael C. O'Connor Mar 08 '13 at 18:30
  • It was pretty easy, I just needed to think it through a bit to protect the directory. thanks @michael-c-oconnor – HPWD Mar 08 '13 at 20:03
2

Remember that cf can only protect cfm files, it will not stop anyone acessing images,.html,.pdf docs etc if they know the url. So it depends what you want to protect. If it is a simple admin area them this will likely suffice. For best security if you need to secure non cf files and resources you should use htaccess or similar to protect entire folders and everything in them. There are ways to do it using cfcontent on a small scale.

snake
  • 732
  • 1
  • 6
  • 11