I am a big fan of fusebox, I like the way it handles inheritance, and I love the fact that it instinctively lends itself to a modular approach.

Part of the strength in using fusebox is in knowing exactly when each of the framework fuse actions run, and just what sort of functionality you can embed in them. In this case I'm using the "Pre fuse Action" to perform a basic security validation on any fuseactions in that circuit.

Above is a blank prefuseaction, insert any code you want to perform on any of the other fuseactions in that circuit here. Note that it runs before the circuit action.

A basic session validation script could be something like:

In the code above I am checking for a valid session variables, and if it is not there sets an error message and redirects to the homepage.

This is a pretty basic "catch all - are you logged in?" type query, but if you have an administration circuit then it provides good basic fuseaction protection. I've extended it out one step further by creating a cfc call to this code which just returns true/false. Something like this:

I am currently extending this further with more robust security, and user roles and groups.

Whilst looking at creating dynamic Sitemaps for Google bot spidering I found that I needed to populate an XML node with the last modified date of the templates. I figured there must be a programmatic way of doing this, so after some searching around this is what I ended out with:

This creates a java object, using the date and file utilities we can use 'getcurrenttemplatepath()' to provide the path data, finally referencing the lastModified property.

A handy and relatively quick way of getting the last modified date.

It is a bit of a mouthful though, so might be easier to create it as a handy referencable object:

Then you can just do:

I recently rolled out beta version of a new application I've been writing, only to discover that there was a bizarre session problem that didn't exist in dev, but does in live.

I've worked it out, but I thought I'd explore it some more. It is a fusebox 5.5 non xml application. The error I had was that as soon as I made a call through a "new" circuit, IE one I hadn't called before ColdFusion would generate a new session ID, and thus invalidate my current active session.

Looking through my application CFC I had this line of code present.

Setting this to true fixed the issue. This is because ColdFusion relies on the CFID and CFTOKEN to maintain the session state. You can either pass these two variables through the URL on every page request, which is a bit messy, or you can use a cookie. It is the variable above that lets the application use cookies on the user's session.

The problem with setClientCookies is that it is persistent, IE it is built for that session, and left on the user's pc, even after the session has expired, or they have left the application. Also some users will accept per-session cookies, but not persistent session cookies.

They are a lot more secure as per-session cookies, as they cannot be duplicated and hacked to spoof a previous user's session, and if you pass the token through the URL it is easy changed.

You could put something like this in your onRequestend function in application.cfc

This will make them per-session. I originally thought that it was something to do with the Fusebox framework, but I had overlooked the simple fact that it was still a new page request, so would be lost. Although this doesn't explain why I wasn't getting this error in my development environment but did in live.