ColdFusion: is a second application.cfm necessary for a secured subdirectory within an authenticated site?
https://stackoverflow.com//questions/25039889
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have an authenticated website that has a subdirectory with stronger access requirements. Anyone can register for the main website, but only site administrators can log into the subdirectory. Currently, both the main site and subdirectory each have their own application.cfm files and login pages.
I've recently updated from ColdFusion 8 to CF 10 and have had to do a lot of reconfiguring of my session handling. I am now using session-only cookies to help maintain the user's session as they move around the site.
With this change in behavior in CF 10, I'm concerned that site administrators who are also registered to the main website will get their sessions scrambled if they go back and forth between the two applications (for example, to see if they can replicate a user's problems or look up database details while they're logged into the main site).
The credentials for both the main site and the subdirectory come from the same user database, with site administrators having a flag that permits them extra access. I can easily write a script that checks to see if a user logged in on either the main site or the subdirectory and direct them appropriately if they change places.
Bottom line, in the CF 10 world, do I need a second application.cfm, and, subsequently, a second set of session variables, for that subdirectory?
(Note: I've looked at both Coldfusion Cross site authentication and Can you have multiple cfapplications in an application.cfm? entries, and, while they have a lot of goodies here, don't quite answer my query.)
Solution
No, it is not necessary to have multiple application.cfm/cfc files. It isn't even necessary to have the first one. However, it isn't necessarily a bad thing to have multiple either. If you have multiple, you can have different onerror and onrequest handling for the subdirectory, if that's beneficial to your goals.
I prefer to only use one application.cfc so that all of my application routing/authentication/error handling is done up front rather than being split between main application and admin area, and I don't have to deal with multiple sessions per user.
OTHER TIPS
if you have session variables in application.cfm in the parent directory, you can just <cfinclude> it in the application.cfm file in subdirectory. So that you can have the same session values to the files in subdirectory too.
Example application.cfm in subdirectory:
<cfinclude template="/home_directory/application.cfm" />
Note: here no need to use <cfapplication> tag.
