3

If I have a site where there is a protected back end and I'm looking to use an application.cfm file, how can I tell which pages use the application filesa and which ones do not.

index.cfm
update/application.cfm
update/loginexpired.cfm
update/login.cfm
update/somesecurepage.cfm
update/someothersecurepage.cfm

I want updates/login.cfm to create the session if the login is correct. If the secure pages update/somesecurepage.cfm and update/someothersecurepage.cfm are accessed without correct login the application should forward to update/loginexpired.cfm but I don't want any of the other pages to use application.cfm.

Is this plausible or should I use cfinclude instead?

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
Daniel
  • 34,125
  • 17
  • 102
  • 150

4 Answers4

4

  1. Always make sure you name your Application.cfm and Application.cfc files with a capital "A". This way if you move from Windows to a case sensitive file system, you wont have an issue where ColdFusion cannot find your Application.cfm/cfc files.

  2. As far as your question goes, with your current structure, all files in the "update" folder will use the Application.cfm file. It will be executed before any other code in those files. If you only want certain pages to redirect to a loginexpired page, then I would typically create a subfolder, put an Application.cfm file in that folder that includes the Application.cfm file from the parent folder: <cfinclude template="../Application.cfm" />. Then in this file, you would add your security check. in the parent Application.cfm file you would include the <cfapplication /> tag. If you are using sessions, be sure to enable session management in your cfapplication tag. (<cfapplication name="myappname" sessionmanagement="true" />)

  3. You really should have an Application.cfm or Applciation.cfc file in the root of your site. If you do not, the application will run without an application scope. ColdFusion has a kind of "unnamed" application where this would run without a defined application name. You will most likely encounter undesired effects. All CF apps should have a named application, using the cfapplication tag or a Application.cfc file with this.name set.

  4. If you are writing this as a new application, I would suggest you use Application.cfc instead of Application.cfm. You will have access to the application, session and request life cycles (onApplicationStart/End, onSessionStart/End, onRequestStart/End) as well as the onError and onMissingTemplate event handlers giving your more control over the flow of your application.

Sean Coyne
  • 3,864
  • 21
  • 24
  • how can I prevent static html pages with a .cfm extension form redirecting? Or should the application not have the redirect functionality? – Daniel Apr 21 '11 at 22:03
  • Any cfm page in a folder with an Application.cfm file will use that code. If you don't want it to run, you can use a decision to look at the requested page and see if its in your "do not run" list and conditionally execute the redirect code. I would suggest you spend more time organizing your pages though into better directory structures and then use Application.cfm files (using cfinclude to pull in parent Application.cfm files) so that you are executing the proper code for the proper pages. You can do the same with Application.cfc, however instead of cfinclude, you would extend the parent. – Sean Coyne Apr 21 '11 at 22:08
1

When a .cfm page is loaded, it will first look for an Application.cfc (The modern, recommended Application object) in the same folder and run it. If that file is not present, it will look for an Application.cfm (the old way of instantiating an Application.)

If neither exists in that folder, it will look up the tree to the next folder and check there for Application.cfc, then Application.cfm, it will repeat this until it finds one or gets to the root of the server.

Therefore, ALL of the files you listed in your 'update' folder will automatically use the application.cfm. Only the index.cfm listed in the root will not. (because neither Application.cfc nor Application.cfm are located in that folder.)

So it would be best to use an Application.cfc in the root of your site for everyone, and then put the locked down pages in a subfolder with a more restrictive Application.cfc.

I hope that answers your question directly. Otherwise, I agree with what Sean stated.

More info about Application.cfc and Application.cfm is available on Adobe's Coldfusion site.

Dan Sorensen
  • 11,403
  • 19
  • 67
  • 100
0

I suggest to you to make a different Appliction.cfm (pref Application.cfc) for the public area and secure area. Also define a differnt name for those Application.

JoeriBijl
  • 1
  • 1
-1

Oops, spelling error

I suggest to you to make a different Appliction.cfm (pref Application.cfc) for the public area and secure area. Also define a different name for those Application.

Joeri Bijl
  • 1
  • If you have different application names, you will have separate session scopes. It will be more difficult to determine logged in/out status from the public area. I would suggest you use the same application name for both areas and secure the proper area. – Sean Coyne Apr 22 '11 at 12:55