I am working on an intranet enhancement that will allow the user to open the latest instance(most recently modified or created) of a file within a given directory.
Unfortunately, the cfdirectory tag (and a few others) are blocked by the hosting provider. I essentially need to mimic the functionality of this piece of code without using cfdirectory:
<cfdirectory action="list" directory="\\SERVERABC\FILEDIR" name="myDirectory">
<cfloop query="mydirectory">
<cfoutput>
<cfif mydirectory.dateLastModified EQ DateFormat(Now(),'mm/dd/yy')>
<!--- ..display link to file for user to download --->
</cfif>
</cfoutput>
</cfloop>
The FileExists() function is available. But the default ColdFusion user would not have access to all the network locations that might be available to the actual user within the application itself.
You need to ask your host to give you a security sandbox so you can use those tags. The only reason they couldn't do this is if they are running the CF Standard Edition, and not Enterprise. If that is the case, case you are out of luck as all file i/o tags will be unavailable. No professional CF host runs the Standard Edition.
Related
I am using CFLDAP in a ColdFusion application.
Currently, the SERVER, USERNAME, and PASSWORD are hard-coded in the application.cfc as application scope variables.
<cfscript>
application.ldapserver = "servername";'
application.ldapuser = "username";'
application.ldappwd = "password";'
</cfscript>
Later in my code, I am using CFLDAP:
<CFLDAP ="GetLDAPinfo" action="query"
server = "#application.ldapserver#"
username = "#application.ldapuser#"
password = "#application.password#"
....
</CFLDAP>
How can I get around using a hard-coded username and password ?
I was hoping to find something to configure in the ColdFusion Administrator similar to how e-mail is set up, but I didn't find anything.
Thanks.
Environment variables are commonly used for storing credentials on a server. Maybe this article will help: Reading Environment Variables In ColdFusion
Using the environment variables approach with plain text files is an accepted practice. You don't store that file in source control, but manage the per-environment settings in a secure location.
Local devs get local credentials (ideally unique per developer), but they don't see credentials for higher environments. Those should only be accessible by the appropriate users.
Here's an example of using .env files with NodeJS.
Alternatively, you could store the credentials in the database and retrieve them on application start. But even then, do the local developers have access to that environment's database? And you can always dump the application scope to view the values. Or you could use something like AWS Secrets Manager, but I don't know how well that works with non-AWS systems.
Since the current credentials are hardcoded, they'll always be in source control history. Make sure
you're rotating those credentials as part of this effort
creating credentials per environment
rotating them all on a regular basis
I have an issue accessing a directory using <cfdirectory> in ColdFusion. I'm a bit new in ColdFusion, if I issue:
<cfset mPath = "\\192.168.0.18\share\Pol\">
<cfdirectory directory="#mPath#" action="list" name="dir" sort="#url.sort#">
This code can list the directory and all of it's folders.
But when I chose a password protected drive over the network it can't display anything. The results are empty, but I actually have folders inside in this drive.
We are running under Windows Domain Controller. My account is allowed full access control and also the ColdFusionserver IP or account as well.
<cfset mPath = "\\192.168.0.21\hse_scan">
<cfdirectory directory="#mPath#" action="list" name="dir" sort="#url.sort#">
No folders and subfolders detected in ColdFusion.
Is there anything I could set in the ColdFusion Server settings?
You said your account has full access, but ColdFusion - by default - will not be starting up using your account, it'll be using the local system account (check this in the Services control panel). TO access network resources, ColdFusion will also need to run using a domain account. I suspect this is your problem.
Anytime I'm using a query I need to log into the database (as I don't have ODBC setup to do it)
<cfquery name="rsUser" datasource="dbname" username="admin" password="adminpass">
SELECT *
FROM dbo.UsersView
WHERE UserID = #session.userid#
</cfquery>
the part I don't like is having the username and password visible every time I make a query. I could use a #parameter# but that is only a small improvement. Any other ideas short of setting up the ODBC on the server?
If you are using a datasource, you don't need to supply the username and password, they are provided when you set up the datasource. If you don't set up a datasource in the CF Administrator, then you have to user username and password attributes but you'd also have to supply the db server information as well.
So, in short, just pull out your username and password and you should be fine.
Also, it is best practice to use for values passed into your query (in this case, session.userid). cfqueryparam not only helps protect you against security issues like SQL injection attacks, it also tells the the db server to create a prepared statement which will be reused in subsequent calls of the query and thus will increase performance of your queries.
Sometimes people don't like to put their username and password into the CF Admin and there is a simple way around that would be to put your datasource information in the Application.cf(c|m).
If using Application.cfm just do the following somewhere in the Application.cfm
Application.dsn = {
datasource = 'mydatasource',
username = 'myusername',
password = 'mypassword'
}
If using Application.cfc place the same code into your onApplicationStart method. Then in your query just use the following
<cfquery name="myquery" attributeCollection="#Application.dsn#">
SELECT * FROM mytable
</cfquery>
As you can see this makes your code nice and easy to manage and if your DSN changes you only have to change it in one place.
I am dealing with a ticketing system that was written about 10 years ago using Coldfusion 8. When a user is authenticated and logins, the user's information about his ID is saved in CF cookies, and the site uses those cookies to fill it the user's ID, name, etc. when the user is filling out tickets.
This application works fine in Internet Explorer 6.0 However we are slowly migrating to Internet Explorer 8, so there are some users here that already started using IE8 fulltime. We've been getting complaints from some of these IE8 users, in which mid-session, the cookies are lost/become null, and the user can't complete the tickets. Users are able to login just fine, but sometimes in mid-session, errors like "NAME UNDEFINED" appear. They don't seem to be isolated to particular tickets because I've looked at all the complaints we have, and they're discovered in all sorts of tickets. I check the logs/screenshots and sure enough, the cookie for the employee ID is null. I've searched all over the web and I can't find good fixes for this.
I thought about converting cookies to session variables, but that would be a massive undertaking and require a lot of testing.
Any thoughts? Thanks in advance.
Any chance the domain is changing? You could be switching between www.servername.com and servername.com? Unless you were writing domain cookies a change in the domain would cause the written for one domain cookies to be unaccessible from another. You can enable domain cookies in your Application.cfm or Application.cfc file. Either set <cfset this.setDomainCookies = true /> in Application.cfc or set the setDomainCookies="true" attribute on your <cfapplication /> tag. This will write cookies accessible from any subdomain.
Have the cookies expired? You can set an expiration date for the cookie. Perhaps it is expiring before the user's session expires?
Have you tried using the IE development toolbar to track the cookies? You can use it to view cookies set for your site.
In one of my application , our users are facing the same issue.It started all of sudden without any change in code.We suggest them to clear cache and tr-try and it works.But i need to know the root cause and its fix.
Thank you
I am trying to create a way to show and hide a number of different elements on my page, depending if the user is logged in or not.
For example I want to hide 'Logout' is users are not logged in, and 'login' when they are.
I'm using Coldfusion and Dreamweaver - is there any quick easy code I am able to use to wrap around the page elements I want to hide?
Thanks for any help.
Georgia.
Generically, if you have a session variable called "loggedIn" and (assuming it's boolean) it's as simple as:
<cfif session.loggedIn>
<!--- display logged in code --->
</cfif
OR
<cfif NOT session.loggedIn>
<!--- display not logged in code --->
</cfif>
But, I mean, it really depends on how you're tracking whether a user is logged in or not.
If you are using the standard CFLOGIN built into Coldfusion you can show/hide elements by checking for a logged in user:
<cfif GetAuthUser() neq "">
Show Logout button
</cfif>
http://livedocs.adobe.com/coldfusion/8/Tags_j-l_07.html
If you are using Dreamweaver's Log In User server behavior, then it creates a session variable named MM_Username (Session.MM_Username) that contains the user name from the log in form. When that variable exists and is not an empty string, then the user is considered logged in. All you should need to do is to check for the existance of that vairable and it not being an empty string.
My CF is rusty, and I don't have a system with ColdFusion installed to be able to give you tested code, but it should be something along the lines of the following:
<cfif IsDefined(Session.MM_Username) And Session.MM_Username NEQ "">
Logout link here
<cfelse>
Log in link here
</cfif>
FYI: The Log Out User server behavior sets that session variable to an empty string rather than destroying the variable, that's why you need to check for it not being an empty string using the Dreamweaver Log in/out server behaviors.