Skip to main content
Ben Nadel at CF Summit West 2024 (Las Vegas) with: Rex Aglibot
Ben Nadel at CF Summit West 2024 (Las Vegas) with: Rex Aglibot

XStandard Web Services And ColdFusion Security

By
Published in ,

I was having a bit of trouble with security at one point while implementing the ColdFusion web services of XStandard. XStandard calls ColdFusion (.cfm) pages for my version of the web services. Below are some examples of the web service URLs:

<!--- Attachment library. --->
<param
	name="AttachmentLibraryURL"
	value="#strXSDirectory#xs_attachment_library.cfm"
	/>

<!--- Image library. --->
	<param
	name="ImageLibraryURL"
	value="#strXSDirectory#xs_image_library.cfm"
/>

Since these go through .cfm pages, they are subject to the same security as any other page of my content management system (CMS). This is good for me, bad for XStandard. See, when XStandard calls the web service, it doesn't use the browser's current session (at least not in FireFox... I think it might in IE). To get around this, I updated my security settings to allow anonymous access to files starting with "xs_" which stands for XStandard (ie. I am not checking permissions on file access when the file name beings with "xs_").

This never made me feel good as it opened up holes in my security. I didn't think much harm could come of it, but still, not a good practice. Then the other day, it hit me like a lightening bolt!! Why not force XStandard to send the session information with the web service calls?

Think about the CFLocation tag. One of the attributes is "AddToken". The reason for this is that if you send the CFID and the CFTOKEN in a URL, the ColdFusion server will use this session information for the resultant page call. Moving this idea over to the XStandard web service calls, we get:

<!--- Attachment library. --->
<param
	name="AttachmentLibraryURL"
	value="#strXSDirectory#xs_attachment_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
	/>

<!--- Image library. --->
<param
	name="ImageLibraryURL"
	value="#strXSDirectory#xs_image_library.cfm?cfid=#SESSION.CFID#&cftoken=#SESSION.CFTOKEN#"
	/>

I am now forcing XStandard to send the current user's session information into the web service calls. Not only does this allow me to remove my security hole (because the web service pages now integrate with the user security), it allows the web services to take information from the user's session information (if it needs to) thereby, more fully integrating with the ColdFusion application.

Want to use code from this post? Check out the license.

Reader Comments

I believe in love. I believe in compassion. I believe in human rights. I believe that we can afford to give more of these gifts to the world around us because it costs us nothing to be decent and kind and understanding. And, I want you to know that when you land on this site, you are accepted for who you are, no matter how you identify, what truths you live, or whatever kind of goofy shit makes you feel alive! Rock on with your bad self!
Ben Nadel