Security is a key part of any web application. As more and more aspects of daily life get conducted online, users want to be sure that the information they provide to web applications is taken care of properly. On the flip side, businesses want to make sure that the people who use their web applications are who they say they are. In this chapter, we’ll cover two keys aspects of security: authentication and authorization. Authentication is the process of verifying the identity of a user, while authorization is the process of limiting access to resources to particular users.

In this chapter, we’ll look at two approaches to application security. The first approach uses a combination of database tables and application code to manage authentication and user entitlements, in effect implementing security from scratch. Because the Application.cfm template is automatically invoked with each page request, it is the ideal place to handle security tasks in your ColdFusion applications. The second approach uses ColdFusion’s new Advanced Security services for authenticating users and authorizing access to resources. Each method has its pros and cons, which will be discussed.

Note that there is Basic Security within ColdFusion, but it has a different purpose than the Advanced Security services. Basic Security is configurable only from within the ColdFusion Administrator and is used to specify usernames and passwords for the ColdFusion Administrator and ColdFusion Studio. ...