3

I have several methods in CFCs that are accessed remotely via JavaScript. Some of these methods use SESSION variables to determine what logic to run, and thereby, what data to return.

For instance, let's say I set a SESSION variable upon login called SESSION.IsMale.

In my remote CFC method, I run the following code:

<cffunction name="getFavoriteColor" access="remote" returntype="String">
    <cfif SESSION.IsMale>
        <cfreturn "blue" />
    </cfif>

    <cfreturn "pink" />
</cffunction>

Now, I don't want to directly access the SESSION scope in my CFC. So, how can I "access" the SESSION scope when calling this method using AJAX.

I don't want to store the values in the page as Global JavaScript variables, since that defeats the purpose of keeping them secure.

Eric Belair
  • 10,574
  • 13
  • 75
  • 116
  • I'd just like to state that the example above is EXTREMELY simplified pseudo-code. It's possible my methods access several SESSION variables at different points. – Eric Belair Oct 24 '11 at 20:42
  • 3
    "I don't want to directly access the SESSION scope in my CFC" why? and where's the question? – Henry Oct 24 '11 at 22:38
  • 1
    @Henry because it breaks encapsulation. – Shawn Holmes Oct 25 '11 at 18:10
  • I don't think it has to do with encapsulation. I think KISS rule overrides that in this case. And if I care about testability, I can simply use `cfargument` sess default to `#Session#` – Henry Oct 25 '11 at 18:20
  • 1
    I disagree with Henry. Breaking encapsulation is still a bad thing that makes your app less maintainable. Making the session scope a default argument may solve that problem (barely) but you then still have a separation of concerns issue. Your component should not care about securing itself, it should care about being whatever it is. That is where ColdSpring, Remote Proxies, and AOP can really help you. You can secure your components and methods without putting any security code in those methods at all. It separated. – Jason Dean Oct 25 '11 at 20:25
  • Am i missing the obvious? If you don't want to break encapsulation, why not just pass the session variable into your function when its called? – Limey Oct 25 '11 at 21:23
  • Because he is calling it remotely, like from an Ajax request. – Jason Dean Oct 25 '11 at 22:12

2 Answers2

3

The best answer I can offer is to look at using ColdSpring to create Remote Proxies and to create AOP interceptors to handle the validation.

It is a lot less complicated than it sounds.

I cover it in my Securing Ajax presentation here: http://www.12robots.com/index.cfm/2010/8/19/My-Presentations-slides-from-cfObjective-NCDevCon-and-CFUnited

And there is more on it in the ColdSpring documentation here: http://www.coldspringframework.org/index.cfm/go/documentation

Jason Dean
  • 9,585
  • 27
  • 36
1

Jason's advice is always worth listening to, but if ColdSpring seems too much, you might consider just creating your own simple remote proxy: a CFC below your webroot dedicated to responding to remote ajax calls. You write remote methods here which will then interact with other CFCs in your model/service (or however you organise them), using their existing APIs and passing/returning values from the session scope as necessary.

The effect is the same: encapsulation is preserved and access controlled.

CfSimplicity
  • 2,338
  • 15
  • 17