This is one the very basic Authentication mechanism that can be implemented. With HTTP Request Method (HRM) CFAjax function can put in constrain on what type of request method are allowed i.e. on other words weather client should communicated with server using POST , GET method or using both of them. CFAjax function by default allows both POST and GET Request method.

How can this be helpful?

One of the nice feature about XMLHTTP object (technology used to make the CFAjax from client browser) is that cross domain method calls with fail with “Permission Denied” if HTTP POST method is used. So what that means if html page was loaded using http://myserver url but CFAjax calls are being made to http://yourserver , in this scenario “Permission Denied” error will be throw by browser if POST method is used from the client side.

But somebody can still call the function on http://yoursever url if they change the HTTP Request to use GET method on client side, because the cross domain post check is only done for HTTP POST method by the browser. In order to avert this issue you can also put in the HRM authentication on the CFAjax function side. So you can tell CFAjax function to only return data when the requests are coming from HTTP Post method and deny request to HTTP GET method.

This is another Authentication mechanism to protect your content and to deny unauthorized request. This method relies on client to identify itself when the CFAjax calls are made and functions are only executed if identify of the client was successfully verified.

How does it work?

When the client request the page for the very first time, an authentication key is generated using the client IP address, current server date/time and is encrypted using the private key that’s defined by the CFAjax developer. This key is now part of the html that has been loaded in the client browser, any time client browser makes the CFAjax request the KEY gets passed over to the server. If the function being called has enabled Client Authentication the key gets verified by checking if the IP address of request matches what is defined in the KEY and also checks if the key has not expired (CFAjax developer can set the timeout of how long the key will be valid). If the key is not valid error is returned to the client.

How can this be helpful?

In the scenario where client is accessing the page from your site the key will always match because the key is generate using the client IP and the request are also being made from same IP Address. But if somebody else (i.e. another website) is trying to call the CFAjax function in there page the key will not exist, there is a very rare possibility of key to be recreated since it uses encryption using the private key. And even if they copy the static key that was generated, it will fail the IP check for all of there clients and authentication key timeout will also invalidate that key quickly (depending upon what the timeout is set)

Using CF Session authentication, you can reject or accept client request depending up if the CF session exists or not. This authentication relies on the fact that before any CFAjax calls are made the user has been authentication by some means (i.e normally CFM page) and that the session now exists in the CF server, once the session has been established calls to CFAjax functions are first validated against the existence of the session.

How does it work?

You have a login page in your website where the members log in to access the site, once the member logs in webapp redirect them to a page which provides usefully functionality to them using CFAjax. At this point the CF session has been established and the session exists for this particular user in CF server. In order to safe guard your business logic and to prevent other sites and non-member from calling CFAjax functions you want to implement session check. This way only the members who have logged in will be able to access the content and if somebody tries to hack into your data they will be denied access because there session do not exist, and in order to create the session they have to be a member who has been authenticated.

How can this be hepful?

You can simply deny connection to the request/clients in your CFAjax function that don’t originate from your app. i.e. unless you authenticate the request you don’t let them use your content.