|
Basic fusebox fuseaction to handle security references |
||||||||
I am a big fan of fusebox, I like the way it handles inheritance, and I love the fact that it instinctively lends itself to a modular approach.
Part of the strength in using fusebox is in knowing exactly when each of the framework fuse actions run, and just what sort of functionality you can embed in them. In this case I'm using the "Pre fuse Action" to perform a basic security validation on any fuseactions in that circuit.
2 <cfargument name="myFusebox" />
3 <cfargument name="event" />
4
5
6 </cffunction>
Above is a blank prefuseaction, insert any code you want to perform on any of the other fuseactions in that circuit here. Note that it runs before the circuit action.
A basic session validation script could be something like:
2 <cfif NOT isdefined('session.loggedIn')>
3 <cfset session.logoutMsg = "Your session has timed out, please login again">
4 <cflocation url="index.cfm">
5
6 <cfif NOT isdefined('session.superadmin')>
7 <cfset session.logoutMsg = "You do not have sufficient rights to view Super admin functions">
8 <cflocation url="index.cfm">
9 </cfif>
10
11 </cfif>
In the code above I am checking for a valid session variables, and if it is not there sets an error message and redirects to the homepage.
This is a pretty basic "catch all - are you logged in?" type query, but if you have an administration circuit then it provides good basic fuseaction protection. I've extended it out one step further by creating a cfc call to this code which just returns true/false. Something like this:
I am currently extending this further with more robust security, and user roles and groups.
|
Coldfusion dropping session ID in fusebox application |
||||||||
I recently rolled out beta version of a new application I've been writing, only to discover that there was a bizarre session problem that didn't exist in dev, but does in live.
I've worked it out, but I thought I'd explore it some more. It is a fusebox 5.5 non xml application. The error I had was that as soon as I made a call through a "new" circuit, IE one I hadn't called before ColdFusion would generate a new session ID, and thus invalidate my current active session.
Looking through my application CFC I had this line of code present.
Setting this to true fixed the issue. This is because ColdFusion relies on the CFID and CFTOKEN to maintain the session state. You can either pass these two variables through the URL on every page request, which is a bit messy, or you can use a cookie. It is the variable above that lets the application use cookies on the user's session.
The problem with setClientCookies is that it is persistent, IE it is built for that session, and left on the user's pc, even after the session has expired, or they have left the application. Also some users will accept per-session cookies, but not persistent session cookies.
They are a lot more secure as per-session cookies, as they cannot be duplicated and hacked to spoof a previous user's session, and if you pass the token through the URL it is easy changed.
You could put something like this in your onRequestend function in application.cfc
2IsDefined("Cookie.CFTOKEN")>
3<cfset cfid_local = Cookie.CFID>
4<cfset cftoken_local = Cookie.CFTOKEN>
5<cfcookie name="CFID" value="#cfid_local#">
6<cfcookie name="CFTOKEN" value="#cftoken_local#">
7</cfif>
This will make them per-session. I originally thought that it was something to do with the Fusebox framework, but I had overlooked the simple fact that it was still a new page request, so would be lost. Although this doesn't explain why I wasn't getting this error in my development environment but did in live.
|
Gmail Stripping styles out of html elements in emails |
||||||||
A recently 'feature' that has been added to Google is the way they are handling un styled elements.
In the last few weeks Gmail has started stripping the paragraph margins from its HTML emails. Basically is destroys the spacing from P tags, so that instead of being new lines, they are more like line breaks.
Checking the element in firebug shows that:
If you disable the style, then the html reverts to back to what you probably thought it should look like.
I'm guessing that as Gmail hasn't found an associated style with the element (P) it is applying its own.
You could change all the inline P's:
But that's hassle and not best practice really. I'll apply a CSS fix to it, and see if Gmail accepts that.
|
Geo coding Latitude and Longitude address in coldfusion using CFhttp |
||||||||
One piece of recently functionality to a site I'm writing is the ability to look up places on a Google powered map.
There are a variety of ways to insert a Google map into your site, but the first real hurdle is the lookup code.
Google does not use an address to position its map, it uses the Latitude and Longitude co-ordinates to place the map area around the desired location.
Google has pretty extensive documentation around this here:
http://code.google.com/apis/maps/documentation/geocoding/index.html
Rather than translate the locations on the fly on a per-hit basis I thought I would perform the lookup when the record is submitted to the database, that way I can cut down the number of google hits, and just reference the local data. Google also prefers this method, as it is less process intensive on their end of things.
First you need an API key:
http://code.google.com/apis/maps/signup.html
This application already has methods for setting the data in a table, so I am simply going to call another packaged method to calculate the latitude and longitude, and store them in the table with the other data.
2 <cfargument name="address" displayName="Address to Geo" type="string" hint="String of the address to Geo code" required="true" />
3 <cfset var geoDetails = structNew()>
4
5 <cfset var apiKey = "Your API key here">
6
7 <!--- initial string --->
8 <cfset var requestString = "http://maps.google.com/maps/geo?">
9
10 <!--- q= address to geo code --->
11 <cfset requestString = requestString & "q=28+Morley+Street,Swindon,SN1+1SG" & "&">
12
13 <!--- key = API key --->
14 <cfset requestString = requestString & "key=" & apiKey & "&">
15
16 <!--- sensor = does the requestor have a location sensor? --->
17 <cfset requestString = requestString & "sensor=false" & "&">
18
19 <!--- output = output format --->
20 <cfset requestString = requestString & "output=csv" & "&">
21
22 <!--- oe = output encoding format --->
23 <cfset requestString = requestString & "oe=utf8" & "&">
24
25 <!--- gl= Country code pointer --->
26 <cfset requestString = requestString & "gl=uk">
27
28 <cfhttp url="#requestString#" method="get" result="response"></cfhttp>
29
30 <!--- returns 4 elements statuscode/accuracy/lat/long
31 Higher accuracy is better --->
32 <cfset geoDetails.status = listGetAt(response.filecontent,'1',',')>
33 <cfset geoDetails.accuracy = listGetAt(response.filecontent,'2',',')>
34 <cfset geoDetails.lat = listGetAt(response.filecontent,'3',',')>
35 <cfset geoDetails.long = listGetAt(response.filecontent,'4',',')>
36
37 <cfreturn geoDetails />
38 </cffunction>
As you can see from above, I am simply creating a text string URL, and using cfhttp to GET the result from http://maps.google.com/maps/geo?
The screenshot below show the returned responses, and the http status code.
The result is parsed into a struct and returned to the parent function to be stored. Far less overhead than doing this for every map call.
Please note that this is far more heavily commented for Blog purposes. Now to actually call the service using the lat and long variables stored, but thats another article.
