问题
Overview
I'm looking to start developing iOS apps using HTML5, jQuery, and ColdFusion. My understanding of this is to have jQuery call the ColdFusion API's for all of he back-end functions. Great! My question is mostly about the page structure and API security.
Application Structure
In my head I suggested that the actual structure of the app should be similar to this:
<html>
<head>
<script src="http://foo.bar/path/to/jquery.js"></script>
<script src="http://foo.bar/path/to/api.js"></script>
<script src="http://foo.bar/path/to/anyother.js"></script>
</head>
<body>
...
</body>
</html>
The idea of this is for organizational purposes. I don't want to include any API calls inside the actual app. I would like it to be located on a remote machine. This will allow me to make edits without resubmitting the app to the app store.
Security
Will this structure be a security risk? Is there anything I can do to enhance the security of this? Perhaps only allow API calls coming from a mobile device? Or perhaps require some sort of key?
Also, when it comes to the actual API itself. How would the function's security work?
<cffunction name="newRemoteResponse" access="remote" output="false" returntype="struct">
....
</cffunction>
What parameters would you recommend to make this the most secure?
回答1:
When you make XHR calls to CF from your mobile app, sessions will be respected. That means you can use XHR to call a login method, set a session var on login, and then in other CFC methods, ensure that session value exists before you return any data.
来源:https://stackoverflow.com/questions/22539834/coldfusion-and-mobile-application-structure-and-security