What is a good full proof way to protect an admin section of a site? So that if someone is logged in with a standard user role they would be redirected back to the root. Would it better to do that in application.cfc or handle it on the individual pages?
The quick and dirty is that you should be using role based permissions. If you load the user's roles on login, you should be able to check if the user has a specific role before accessing various functionality throughout the application.
Let's say you have a basic app like this:
In the
Application.cfc
in the admin app folder, you can useonRequestStart
to check for the admin role in the user's session object, then kick out (redirect) users that don't have that role. This would give you a single place to control access to all the code under the/admin/
folder.The problem with this question is that there are so many ways to address this issue and without knowing how your application is setup, there's no way to know if this can be addressed in such a simple manner with your current implementation.