Security is a key part of any web application. As more and more aspects of daily life are conducted online, users want to be sure that the information they provide to web applications is handled securely. On the flip side, businesses want to make sure that the people who use their web applications are who they say they are. In this chapter, we’ll cover two keys aspects of security: authentication and authorization. Authentication is the process of verifying the identity of a user, while authorization is the process of limiting access to resources to particular users.

In this chapter, we’ll look at two approaches to application security. The first approach uses a combination of database tables and application code to manage authentication and user entitlements, in effect implementing security from scratch. Because the Application.cfm template is automatically invoked with each page request, it is the ideal place to handle security tasks in your ColdFusion applications. The second approach uses ColdFusion MX’s new security tags and functions for authenticating users and authorizing access to resources. Each method has its pros and cons, which will be discussed.

Note that there is Sandbox Security within ColdFusion, but it has a different purpose than the application-level security we’ll be discussing in this chapter. Sandbox Security is configurable only from within the ColdFusion Administrator and is used to control access to various ColdFusion resources ...