coldfusion application.cfm and affected files

Question

If I have a site where there is a protected back end and I'm looking to use an application.cfm file, how can I tell which pages use the application filesa and which ones do not.

index.cfm
update/application.cfm
update/loginexpired.cfm
update/login.cfm
update/somesecurepage.cfm
update/someothersecurepage.cfm

I want updates/login.cfm to create the session if the login is correct. If the secure pages update/somesecurepage.cfm and update/someothersecurepage.cfm are accessed without correct login the application should forward to update/loginexpired.cfm but I don't want any of the other pages to use application.cfm.

Is this plausible or should I use cfinclude instead?

Answer 1

1. Always make sure you name your Application.cfm and Application.cfc files with a capital "A". This way if you move from Windows to a case sensitive file system, you wont have an issue where ColdFusion cannot find your Application.cfm/cfc files.

2. As far as your question goes, with your current structure, all files in the "update" folder will use the Application.cfm file. It will be executed before any other code in those files. If you only want certain pages to redirect to a loginexpired page, then I would typically create a subfolder, put an Application.cfm file in that folder that includes the Application.cfm file from the parent folder: <cfinclude template="../Application.cfm" />. Then in this file, you would add your security check. in the parent Application.cfm file you would include the <cfapplication /> tag. If you are using sessions, be sure to enable session management in your cfapplication tag. (<cfapplication name="myappname" sessionmanagement="true" />)

3. You really should have an Application.cfm or Applciation.cfc file in the root of your site. If you do not, the application will run without an application scope. ColdFusion has a kind of "unnamed" application where this would run without a defined application name. You will most likely encounter undesired effects. All CF apps should have a named application, using the cfapplication tag or a Application.cfc file with this.name set.

4. If you are writing this as a new application, I would suggest you use Application.cfc instead of Application.cfm. You will have access to the application, session and request life cycles (onApplicationStart/End, onSessionStart/End, onRequestStart/End) as well as the onError and onMissingTemplate event handlers giving your more control over the flow of your application.

Answer 2

I suggest to you to make a different Appliction.cfm (pref Application.cfc) for the public area and secure area. Also define a differnt name for those Application.

Answer 3

Oops, spelling error

I suggest to you to make a different Appliction.cfm (pref Application.cfc) for the public area and secure area. Also define a different name for those Application.

Answer 4

When a .cfm page is loaded, it will first look for an Application.cfc (The modern, recommended Application object) in the same folder and run it. If that file is not present, it will look for an Application.cfm (the old way of instantiating an Application.)

If neither exists in that folder, it will look up the tree to the next folder and check there for Application.cfc, then Application.cfm, it will repeat this until it finds one or gets to the root of the server.

Therefore, ALL of the files you listed in your 'update' folder will automatically use the application.cfm. Only the index.cfm listed in the root will not. (because neither Application.cfc nor Application.cfm are located in that folder.)

So it would be best to use an Application.cfc in the root of your site for everyone, and then put the locked down pages in a subfolder with a more restrictive Application.cfc.

I hope that answers your question directly. Otherwise, I agree with what Sean stated.

More info about Application.cfc and Application.cfm is available on Adobe's Coldfusion site.