2

I have an authenticated website that has a subdirectory with stronger access requirements. Anyone can register for the main website, but only site administrators can log into the subdirectory. Currently, both the main site and subdirectory each have their own application.cfm files and login pages.

I've recently updated from ColdFusion 8 to CF 10 and have had to do a lot of reconfiguring of my session handling. I am now using session-only cookies to help maintain the user's session as they move around the site.

With this change in behavior in CF 10, I'm concerned that site administrators who are also registered to the main website will get their sessions scrambled if they go back and forth between the two applications (for example, to see if they can replicate a user's problems or look up database details while they're logged into the main site).

The credentials for both the main site and the subdirectory come from the same user database, with site administrators having a flag that permits them extra access. I can easily write a script that checks to see if a user logged in on either the main site or the subdirectory and direct them appropriately if they change places.

Bottom line, in the CF 10 world, do I need a second application.cfm, and, subsequently, a second set of session variables, for that subdirectory?

(Note: I've looked at both Coldfusion Cross site authentication and Can you have multiple cfapplications in an application.cfm? entries, and, while they have a lot of goodies here, don't quite answer my query.)

Community
  • 1
  • 1
Mike Zavarello
  • 3,514
  • 4
  • 29
  • 43
  • required, no, but you could consider it to be beneficial to separate them. I usually don't separate them and do the authentication in the onrequest or onrequeststart. If they aren't allowed to view the page they are requesting, give them a 401 page. – Kevin B Jul 30 '14 at 14:49
  • I usually separate them so that i don't have to deal with managing two separate sessions. If you don't separate them, you have to either detect if they are already logged in (is that even possible without making your own cookie?) or have them login again. – Kevin B Jul 30 '14 at 14:51
  • @KevinB Thanks for the elaboration; I had removed my comment b/c I realized I didn't see the entirety of your first one. I'm checking a session variable to see whether they've logged in, with the session-only cookies remembering CFID and CFTOKEN details as they move around the site. I use a lot of cflocation, which now tends to wreak havoc with non-cookie sessions, much to my recent dismay. – Mike Zavarello Jul 30 '14 at 14:55

2 Answers2

2

No, it is not necessary to have multiple application.cfm/cfc files. It isn't even necessary to have the first one. However, it isn't necessarily a bad thing to have multiple either. If you have multiple, you can have different onerror and onrequest handling for the subdirectory, if that's beneficial to your goals.

I prefer to only use one application.cfc so that all of my application routing/authentication/error handling is done up front rather than being split between main application and admin area, and I don't have to deal with multiple sessions per user.

Kevin B
  • 94,570
  • 16
  • 163
  • 180
0

if you have session variables in application.cfm in the parent directory, you can just <cfinclude> it in the application.cfm file in subdirectory. So that you can have the same session values to the files in subdirectory too.

Example application.cfm in subdirectory:

<cfinclude template="/home_directory/application.cfm" />

Note: here no need to use <cfapplication> tag.

Pradeep Kumar
  • 4,065
  • 2
  • 33
  • 40