Preventing FW/1 From Reinitialising an App via the URL
One of the things that FW/1 allows you to do is configure a reload “key” and “password” which you can use to reinit your application via URL.
So inside your Application.cfc you might have:
1 2 3 4 5 | |
So you can reinit your application (flush the application scope by re-running onApplicationStart()) by calling something like:
1
| |
The “reload” and “password” properties can be changed to whatever you want for securities sake.
We wanted a little extra security, that being the option to never allow an application to be reinitialised via a URL. Typically we want this in a production environment only. What you lose in flexibility, being able to reinit the application quickly and easily after a release/deployment, you (arguably) gain in security. Perhaps this is being a little over-cautious, but we like to be better safe than sorry, especially when reducing possible DOS vectors. Also it makes life easier when dealing with system administrators and/or security audits :)
To achieve this we simply added a new property to the variables.framework structure inside Application.cfc, called “disableReloadApplication”, which accepts true|false. If true, then even if you know the “reload” and “password” values…the application cannot be reinitialised via the URL. So the following would NOT reinit the app:
1
| |
A few extra lines were needed inside framework.cfc to make this happen:
setupFrameworkDefaults()
1 2 3 4 5 | |
and isFrameworkReloadRequest()
1 2 3 4 5 | |
Although we could have extended framework.cfc with our own file (and just defined these 2 methods), we just altered the original framework.cfc as we store a local copy in source control that all our projects can draw from.
Here is the fork of FW/1 (really just a change to framework.cfc), version 2.0.1.