Your opinion about (safe) scheduled tasks


#1

Hello,

I would like to hear your opinion. I have an application where everything is behind a login. Now we need some scheduled tasks, for which we want / need the scheduled task manager from Lucee Administrator. However, the CFML pages that have the code for the scheduled task then need to be placed outside of the login (because the scheduled task manager can’t log in, right?). Is this a safety issue, and if so, do you have any thoughts on how to make this safe®?

Thanks in advance for your insight!

Marcel


#2

Tasks support HTTP Basic authentication (username and password), so in each task (or in a general task manager endpoint CFC that then calls the tasks) you could get the HTTP headers (https://cfdocs.org/gethttprequestdata), look for the HTTP Basic Authorization header, check that it’s accurate (correct username and password) and then process the task if it is.

You can also check the referrer to ensure the request is coming from your own server (127.0.0.1 or the domain, depending on how your server is configured).

Combining both techniques would offer some measure of protection for your tasks, but neither is bulletproof (since HTTP headers can be sent from anywhere and the referrer header can be purposefully overwritten), but still better than letting them hang out in the wild where anyone could, theoretically, stumble upon them and execute them without any protections.

HTH

– Denny


#3

Thanks Denny. Very late to reply, but we’ve used your suggestions. Furthermore, we’ve added a UUID that the task requires, that’s only set in the scheduled task itself. Only if that specific UUID is given, the task will execute. Safety upon safety!


#4

Thanks for sharing Marcel and happy I was able to help. The UUID is a nice addition and adds another layer of protection. Good thinking!