Comments on: CFML 101 – Protecting Railo admin folder http://www.placona.co.uk/145/railo/cfml-101-protecting-railo-admin-folder/ ColdFusion, Ruby and General Technology Thu, 26 Jan 2012 20:51:00 +0000 hourly 1 http://wordpress.org/?v= By: Kenhttp://www.placona.co.uk/145/railo/cfml-101-protecting-railo-admin-folder/comment-page-1/#comment-2254 Ken Wed, 02 Feb 2011 15:45:16 +0000 #comment-2254 I'd like to point out that by wrapping the require valid-user directive within the LIMIT GET tag, you are allowing POST and other request types to ignore the directive. See http://httpd.apache.org/docs/2.2/mod/core.html#limit This is a common mistake I see. I think people incorrectly (though intuitively, I'll grant) interpret the LIMIT directive as restricting access to only the listed HTTP methods, when in fact it does the reverse; it restricts the directives it contains to the listed methods. Don't believe me? Make sure you're logged out then make a POST request and you'll see that you get right in without being asked for a password. Easy enough to do in a simple html file I’d like to point out that by wrapping the require valid-user directive within the LIMIT GET tag, you are allowing POST and other request types to ignore the directive. See http://httpd.apache.org/docs/2.....html#limit

This is a common mistake I see. I think people incorrectly (though intuitively, I’ll grant) interpret the LIMIT directive as restricting access to only the listed HTTP methods, when in fact it does the reverse; it restricts the directives it contains to the listed methods.

Don’t believe me? Make sure you’re logged out then make a POST request and you’ll see that you get right in without being asked for a password. Easy enough to do in a simple html file

]]> By: Tom Khttp://www.placona.co.uk/145/railo/cfml-101-protecting-railo-admin-folder/comment-page-1/#comment-766 Tom K Thu, 27 May 2010 06:38:03 +0000 #comment-766 Thanks Marcos - works a treat :) Thanks Marcos – works a treat :)

]]>