You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Jeremy Geelan, Maureen O'Gara, Nancy Y. Nee, Tad Anderson

Related Topics: ColdFusion

ColdFusion: Article

Implementing HTTP Basic Authentication

Route around many of the common limitations of traditional forms-based authentication

Most ColdFusion applications that require users to be authenticated follow the pattern laid out in the official ColdFusion documentation and in the ColdFusion MX Developer's Guide.

This HTML forms-based method is perfectly serviceable, but as applications become more complicated it's not uncommon to run across issues with session expiration and deep linking/bookmarking. This article describes an alternative method of implementing user authentication that's based on the mature and time-tested authentication scheme laid out in the original HTTP specification. Without making the application significantly more complex, it can route around many of the most common limitations of traditional forms-based authentication.

An Overview of Forms-Based Authentication
To start off, let's take a look at some typical ColdFusion code that uses forms-based authentication from the point-of-view of a Web browser. A typical application might have code in the Application.cfm file that looks something like this:

<cfif NOT IsDefined("SESSION.login")>
    <cfif NOT IsDefined("FORM.login")>
      <cfinclude template="loginForm.cfm">
      <!--- Process login information --->

Let's look at the series of requests and responses that occur between a Web browser (WB) and a server (S) when the user requests a page that's protected by this kind of authentication code:

WB: Please send me the page called /index.cfm.
S: OK, here's the page called /index.cfm. (The server sends a page containing a form with text fields for user name and password and a submit button.)
WB: (After the user fills in the form and clicks the submit button) Here's a POST to the page called /index.cfm.
S: OK, I processed the submission and here's the page called /index.cfm.

Notice how the server claimed the two pages it sent were both /index.cfm? That's an example of one problem with forms-based authentication: it misrepresents the resources identified by URLs. To illustrate another problem, take a look at what happens later, after the user takes a break from using the application and the session expires:

WB: Please send me the page called /administrator/addUser.cfm.
S: OK, here's the page called /administrator/addUser.cfm. (The server sends a page containing a form with text fields for user name and password and a submit button.)

Since the session expired, the server responded to the request by providing the login form again. Even if the form provides some information about why the user needs to log in again, the user may become confused, and at the very least is inconvenienced.

There are other ways to implement forms-based authentication (such as using <cflocation> to redirect the browser to the login form instead of using <cfinclude> to send it in place of the requested page), but the basic issues are the same:

  1. Forms-based authentication misrepresents the resource requested by the browser. Depending on the implementation, it claims the login form is the resource that was requested, or it sometimes claims that the resource requested is located somewhere else (that "somewhere else" being the location of the login form).
  2. It forces the user to understand technical issues like session expiration.
  3. Since it's dependent on session cookies, it's not easily scalable to cluster environments and doesn't work if the browser has cookies disabled.
  4. Since it's dependent on the end user to read the login form and understand that it's not the resource the user requested, it's not compatible with alternative user agents
More Detail: URLs and HTTP Status Codes
What's all this talk about "misrepresenting the resource," you say? It boils down to URLs and status codes.

Each time the browser requests a page, it specifies the exact resource (page) it's requesting. This resource is identified by the URL and a basic tenet of HTTP is that two requests for the same resource (assuming there's no form submission happening) should return exactly the same result (this is closely related to the property of HTTP requests called "idempotency," the principle that GET requests shouldn't change the state of the resource being requested). When the server sometimes sends a login form and sometimes sends the actual page, it's breaking this one-to-one correspondence between the URL and the resource.

Each time the server responds to a request, it sends a status code that very succinctly tells the Web browser the "gist" of its response. Most of the time (when it's serving ColdFusion pages at least), the server sends the status code 200 ("OK"), which means "this page I'm sending you is exactly what you asked for." If instead of executing the page the user requested, the server is sends a login form, it's lying to the browser when it says it found what the user asked for.

When the ColdFusion server processes a <cflocation> tag, it sends the status code 302 ("Found"), which means "the page you're looking for is temporarily located somewhere else and I'm sending you its location." If the address the server sends isn't actually the page the user requested, but a login form, it's lying again.

These distinctions may seem pedantic. But every Web browser since NCSA Mosaic has been raised speaking HTTP as its native language and there's a surprising amount of potential to be leveraged in modern browsers when you respect the true meaning of the terms in that language. And sometimes when you ignore the rules of HTTP you get burned - a notable example of this was when Google released a beta of its Web Accelerator and lots of developers who had ignored the principle of idempotency found that their Web sites were breaking.

Basic Authentication to the Rescue
All the way back at the dawn of the Web (May 1996, to be specific), when Tim Berners-Lee codified the rules of the Hypertext Transfer Protocol (HTTP/1.0), he and his co-authors considered the problem of how to secure resources on the Web and their answer to the problem has come to be known as HTTP Basic Authentication. With Basic authentication, the initial dialogue between Web browser and server looks more like this:

WB: Please send me the page called /index.cfm.
S: Sorry, that page is part of an application called "MyApplication." You can't see that page without providing a user name and password. Here's a page to tell the user why he can't see the page he asked for.
WB: (Prompts the user for a user name and password.) Please send me the page called /index.cfm - and here are the user's credentials to access that page.
S: OK, I processed the credentials and here's the page called /index.cfm.

Doesn't that look like a much more productive exchange than when the server was telling all sorts of lies about the resources it was sending to the browser? In fact it is more productive and here are a few reasons why:

  1. HTTP status codes and URLs are used exactly as they were intended.
  2. Once the browser knows the user's credentials for the application, it can continue to provide them when needed without prompting the user again (more on this below). Depending on your application, this might mean the end of session expiration!
  3. It's not dependent on keeping login credentials in the session scope, so it even works when browsers have cookies disabled. (Your application may still need to use session-scope variables for other purposes.)
  4. It allows alternative clients (such as command-line and automated user agents) to access your application, unlocking the potential for new and exciting uses of the data in your application.
Web Server-Integrated Basic Authentication
Basic authentication doesn't have to be implemented in application code. All the most common Web servers (including Apache and Microsoft's Internet Information Server) allow the administrator to protect resources with Basic authentication by setting some configuration parameters. In some cases, this may be sufficient, but if you want to validate the user login information against an existing user database (the one built into your application, for example), you'll almost certainly find it easier to keep the authentication code integrated with the rest of your application.

More Stories By Patrick Correia

Patrick Correia is a Web developer for Clough Harbour & Associates LLP, an east coast multi-disciplined engineering firm. A Certified Advanced ColdFusion MX Developer based in Albany, New York, he has spent the last five years developing ColdFusion-based business process improvement solutions for the firm's numerous municipal and private clients.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
MikeR 06/08/06 11:43:56 PM EDT

Interesting article but it failed to mention the huge flaw with basic auth.

Basic authentication can't be used for most real-world sites because:
(1) There is now way for the user to log out short of closing all browser windows.
and (2) There is no practical way for the site to logout or timeout a user.

@ThingsExpo Stories
BnkToTheFuture.com is the largest online investment platform for investing in FinTech, Bitcoin and Blockchain companies. We believe the future of finance looks very different from the past and we aim to invest and provide trading opportunities for qualifying investors that want to build a portfolio in the sector in compliance with international financial regulations.
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
Imagine if you will, a retail floor so densely packed with sensors that they can pick up the movements of insects scurrying across a store aisle. Or a component of a piece of factory equipment so well-instrumented that its digital twin provides resolution down to the micrometer.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settle...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy high-performance Java applications that use Java 3D and/or Jogl without having to run an installer. We are subject to the constraint that the applications be signed and deployed so that they can be run in a trusted environment (i.e., outside of the sandbox). Further, we seek to do this in a way that does not depend on bundling a JRE with our applications, as this makes downloads and installations rat...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
Digital Transformation (DX) is not a "one-size-fits all" strategy. Each organization needs to develop its own unique, long-term DX plan. It must do so by realizing that we now live in a data-driven age, and that technologies such as Cloud Computing, Big Data, the IoT, Cognitive Computing, and Blockchain are only tools. In her general session at 21st Cloud Expo, Rebecca Wanta explained how the strategy must focus on DX and include a commitment from top management to create great IT jobs, monitor ...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
The IoT Will Grow: In what might be the most obvious prediction of the decade, the IoT will continue to expand next year, with more and more devices coming online every single day. What isn’t so obvious about this prediction: where that growth will occur. The retail, healthcare, and industrial/supply chain industries will likely see the greatest growth. Forrester Research has predicted the IoT will become “the backbone” of customer value as it continues to grow. It is no surprise that retail is ...