Tuesday, August 23, 2005

Make cflogin work with the cfschedule service

This one is really pretty easy, but it baffled me for a few minutes until it clicked. It was one of those brain spasms I get every once in a while where something incredibly simple is difficult to grasp, like trying to describe the process that goes on in your head when you try to add 2+2 to get 4.

I like to use cflogin to secure sites (with j2ee session on). It just seems to work so well and you don't have to think about it once you build it. Sometimes I like to create a directory under the application to hold scheduled task templates that get fired off by the clock. In order to do this, the setup needs to have login credentials. If you don't think about it, you can test directly in the browser like crazy and everything works because before you try to launch the temlpate, you are forced to log in. You don't tend to think about it too much. When you then try to get the scheduler to launch the templates, they can fail because you don't have an opportunity to log in.

There won't be any messages in the logs, because technically, nothing failed. What happens is that your login template gets returned to the cf service waiting for a login. If you don't store the results anywhere (which you normally wouldn't), there really isn't anything to tell you why your template didn't run.

In order to make them work, all you have to do is append the username and password to the end of the url like this:


Simple as that, but one that can have you hunting for a few minutes until you think of the solution.


  1. Hi Mike,

    There are some security issues with this approach.

    1) You are sending the username/password as clear text. This can be sniffed out by others on the network/internet

    2) The querystring with the username and password will show up in the server logs.

    Depending on your particular situation, this may or may not matter, but I just wanted to make sure your readers were aware of the security risks with putting unencrypted username/passwords in a query string.

  2. You're right, it is totally insecure with respect to the account you use to run the service. In my case, the service only has rights for the pages in the scheduledTasks directory.

    There are several other ways to go about getting this to work. One of the simplest is to put a second Application.cfm page in the directory without the cflogin protection. That lets anybody hit the directory without issue.

    Another way to do it is to put an exception in your cflogin code for the cgi.http_useragent being equal to "CFSCHEDULE" and the cgi.servername = to the cfserver. You can then just assign a username and password that doesn't get used in any authentication tests. It still opens your templates to potential hacking by a determined individual (spoof the ip and user agent), but it won't provide access to anything you lock down by role.