Digital Ninja

A couple months ago at work we had our first shot at writing some cool and "modern" AJAX powered features on an administrative tool. Not being a newbie to website security, I had some pretty high demands about keeping it safe. It's a given that when you're building Internet applications at a school that teaches Web Design and Development you need to build stuff right.

The challenge was that I wanted to make sure only folks who were authenticated as administrator role users had access to the remote-accessible methods in the service CFC. My first thought was of course to try to identify the authenticated session. For some reason, however, the CFID and CFTOKEN were completely unavailable in the XmlHttpRequest call (AJAX). This confused me, but I had my hands full with other things and didn't dive in too much. Instead, a separate system involving an AccessEvent object and some uuid() keys was invented and it works quite well. Probably even overkill, if there is such a thing regarding security.

Well, tonight I started working on something that would work in a similar way, unrelated to the aforementioned effort. This was my chance to dig in a little bit and find out why the CFC being hit via AJAX wasn't seeing the session. Now, we know that it's the browser's two cookie values that identify the session to ColdFusion. And I knew that the XmlHttpRequest was sending those in the HTTP header. So why no session?

Virtual Directory / Alias

Yep, should have known. ColdFusion is sometimes a little smarter than we give it credit for. In the project at work, we were hitting a CFC that has an alias (NOT a ColdFusion mapping!) at the web server level to make the file accessible via an HTTP call. However, ColdFusion knows that it's physical location on the local drive is not in or under the same directory that the Application.cfc file is in. Therefore, this service CFC is not permitted to read the session or application, not in any way, because it is in fact not a part of the application. Case closed.

The solution here is to create a service layer local to the application that acts as a wrapper for the other CFC file(s). In fact, as I think it through some more, the service CFC we've got outside the application root doesn't even belong out there. It's specifically a service for the application, and were its job to include access from other applications, the parameters and other security concerns would probably change. This in effect renders it "non-re-usable" in my book. I now believe the answer here is to move that service layer into a local CFC / service folder, inside the confines of it's owning application.

Or... I'm wondering now... would making an application mapping to that outside folder bring it into the fold and allow it to see sessions? Now that's something I'll have to try.

This week I found myself taking another look at ExtJS. It's a JavaScript framework, I suppose one could say it's something along the lines of Prototype or MooTools. But as far as I've seen, the good folks at Ext have really taken this whole frame work thing a few steps farther down the road than the rest of the competition.

I'm working on a freelance project and we've really extended the amount of time and effort invested into the front end of the web site. Now it's time for me to pull the back end together and I'm trying to expedite my journey to the finish line without compromising quality. This is when I remembered the ExtJS library that's built into ColdFusion 8. I also remembered that the version that's coupled with Adobe's product isn't the most recent.

I hit up the Ext website and downloaded version 2.0. With the help of one of the sample script I quickly had a JavaScript powered grid pulling data in from a web service I had already written. The best part is how easy it was to adapt the sample. It was using a static XML file, which was usurped into a data store. Just a slight change in the code allowed me to use a URL call to my service as a JSON store.

The next step will be making it editable. I haven't built the service layers for that but it shouldn't take long. And I suspect that, given the incredibly rich set of features a JSON store object has in ExtJS it won't be difficult to have it talking back and making changes, and thereby a fully editable JS grid interface to my data.

Here's just another example of why I personally choose to use a blog - look how someone else's blog helped me! ﾠMy database and MySQL knowledge just took a jump.

Read more...

Do you ever feel like you're spending all of your time organizing your projects and not enough time developing them? Yeah, that's me these days. I was just thinking that I really wish I had this SQL script I was working on last week in SVN somewhere, but I don't. And now I have to remember how that syntax went. Or rather, since my memory is as reliable as a three-legged cat trying to bury it's business on a frozen pond, I'll be researching it all over again.

I suppose the bright side of the apple is that having researched the same thing twice should mean I'll have a better chance at remembering it. Right?

Oh, and before I forget to mention, we have a semi-reliable comparison between CF7's un-cached implementation of the CMS at work and the CF8 cached version. The number of DB calls for a content-by-node-path call went from (brace yourself) 22,000+ down to 900 and change. :) Something tells me we're going to get more life out of that piece of hardware now.

Thoughts while performing an upgrade while at the office in the late hours.

Read more...