Professional Web Applications Themes

Windows User Directory Security bypassed? - Coldfusion Security

:confused;Using IIS6 under Windows 2003 with CFMX 6.1 When a cfm script file is located in a windows security restricted directory, the user is prompted for a login (user/password) prior to access. However, any user/password combination for that computer is accepted even when the directory is restricted to a specific user or usergroup. A html file in the same restricted directory works correctly, only allowing the specific user or group access and denying all others. If the url is just a directory reference (i.e. relies on the IIS default filename to resolve to a cfm script file), then user security ...

  1. #1

    Default Windows User Directory Security bypassed?

    :confused;Using IIS6 under Windows 2003 with CFMX 6.1 When a cfm script file is
    located in a windows security restricted directory, the user is prompted for a
    login (user/password) prior to access. However, any user/password combination
    for that computer is accepted even when the directory is restricted to a
    specific user or usergroup. A html file in the same restricted directory works
    correctly, only allowing the specific user or group access and denying all
    others. If the url is just a directory reference (i.e. relies on the IIS
    default filename to resolve to a cfm script file), then user security works
    correctly. This seems like a rather large hole in CF security. Is there a way
    to implement user based security so different users have access to specific
    directories?

    rrzzy Guest

  2. #2

    Default Re: Windows User Directory Security bypassed?

    But it's IIS handling the security (ie: the user login screen). What SHOULDN'T
    be happening is that IIS shouldn't be handing the request off to CF if the
    authentication isn't validated.

    It's not CF's job to handle website security: if it receives a request from
    the webserver, it'll fulfil the request.

    Adam

    Adam Cameron Guest

  3. #3

    Default Re: Windows User Directory Security bypassed?

    I have the same problem with windows authentification not securing coldfusion docs. It apears to work on all other objects in a directory but not on the cfm pages. Has anyone come up with a soltuion?
    Unregistered Guest

  4. #4

    Default Re: Windows User Directory Security bypassed?

    If you have a dir that you want only certain users to access, use Application.cfm to control access. CF 7 introduced Application.cfc

    Search the doentation on user authentication with Application.cfm

    Basically, the Application.cfm can be put in any dir that needs to be secured. In order to get access to that dir, users will need to have a user session. It is in the Application.cfm that you define your session e.g. how long should it exists before it expires, if there is no activity, which page to take the people to if they need to login, which page to go to if the password is wrong, logging them in if the username and password is correct.

    Also note that you may need to encrypt and decrypt the password, it is not advised to use plain text to store emails and passwords on db's.

    You might also consider upgrading CF.
    n_kips is offline Junior Member
    Join Date
    May 2012
    Posts
    3

Similar Threads

  1. Replies: 1
    Last Post: July 4th, 12:23 AM
  2. User directory security
    By JK in forum Linux / Unix Administration
    Replies: 9
    Last Post: June 21st, 09:59 AM
  3. Replies: 1
    Last Post: May 21st, 03:47 PM
  4. Directory Security via ASP / Or Adding user to Win2000 users
    By Richard Morey in forum ASP Database
    Replies: 9
    Last Post: August 22nd, 08:35 PM
  5. user security policy active directory
    By pipe in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 15th, 03:32 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139