learncfinaweek

One acronym that is thrown around in programming circles is DRY: Don't Repeat Yourself. Does anyone enjoy reading a repetitive book? Listening to the same five songs on the radio station? How about writing the same piece of code, over and over again? Performing the same task over and over again is mind-numbing and soul-crushing work. When working in a large system, it's much more fun to write a piece of code in such a way that it can be used multiple times.

Now that some of the basics of programming with ColdFusion have been covered, we can take a moment to discuss code reuse. Writing code that can be used again is an important skill for developers to master; not only does it save time, but it forces the developer to structure their code such that individual routines are isolated and labelled properly. Doing this makes the code easier to read and interpret. In this chapter, simple examples will be used; you can extrapolate from these examples and imagine the effects on a larger scale.

learncfinaweek

Session identifiers (CFID, CFTOKEN, and JSESSIONID) need to be protected since they provide an attacker with an easy way to impersonate a user if they are acquired.

One of the biggest leakages of session identifiers occurs with cflocation because the ADDTOKEN attribute defaults to true, appending the session identifiers to the URL, and thus be easily captured. The ADDTOKEN attribute should be set to false in almost all cases.

An additional measure to protect the session identifiers is to set the cookie which they are delivered to be HTTPOnly. When a cookie is flagged HTTPOnly, it is not possible for the cookie to be accessed in the browser via Javascript. ColdFusion 9 added the ability to set HTTPOnly cookies with cfcookie and ColdFusion 9.0.1 added a JVM flag to enable HTTPOnly c

learncfinaweek

In this hands on, we will do a simple database call and output the data.

Tags Used: <cfset>, <cfquery>, <cfloop>

1. Open up the /www/resume.cfm file in your code editor.

learncfinaweek

In this hands on, you are going to add an Error Handling solution to the web site.

Tags Used: <cfdump>

Functions Used: include, mail

learncfinaweek

While the best efforts are made to stop errors from happening, they do happen. Sometimes the errors might be due to some bad code; other times it may be due to external resources that are out of one's control. During the development process, these errors hold valuable information that allows us to improve and fix our code, but in production environments, these errors hold information that can make our servers vulnerable to attack. It is important that as a developer you anticipate errors and gracefully handle them. Thankfully, ColdFusion offers a number of ways to trap those errors and even allow developers to react to those errors and call alternative functionality.

Understanding Errors

Error Types

learncfinaweek

Cross-Site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates.

One of the many examples occurred with Netflix in 2006; if you used the "Remember Me" functionality and came across any web page that had <img src="http://www.netflix.com/AddToQueue?movieid=70011204" />, embedded in it, a copy of “SpongeBob Squarepants” would be added to your Netflix queue.

ColdFusion 10 introduced two new functions to deal with CSRF; CSRFGenerateToken() and CSRFVerifyToken(). To use the functions, the web application needs to have Session Management enabled, which works by creating a random token that can be checked when the submission o

learncfinaweek

A great feature set of ColdFusion is its image functionality. ColdFusion has the ability to easily manipulate images, create new images, draw images, and write them back to the file system. All this functionality comes right out of the box with ColdFusion without need of any extra plugins or installs.

There are so many pieces of image related functionality that it is not feasible to explain all of them in this section. For the purpose of this section, we will review a few of the more common functions used. To see a full list of image functionality available, go to: http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec1a60c-7ffc.html#WSc3ff6d0ea77859461172e0811cbec22c24-66e4.

Reading in an Image

learncfinaweek

A more modern alternative to cfinclude is to create components. Components in ColdFusion behave similarly to objects in many other programming languages. First, start by creating a new file, called Greeting.cfc. ColdFusion uses .cfc to denote files that are components.

Inside of Greeting.cfc, add a cfcomponent tag:

<cfcomponent>

learncfinaweek

In this hands on we are going to secure our session and improve our admin security by hashing our passwords.

Tags Used: <cfif>, <cfset>, <cfquery>, <cfqueryparam>

Functions Used: len, trim,

learncfinaweek

In this hands on, we are going to add security to the blog comments. As this section allows users to supply data that will be stored in a database and will also be output to other users, this is a weakest point of the application.

Tags Used: <cfif>, <cfset>, <cfthrow>

Functions Used: isSimpleValue, canonicalize,