Link to home
Start Free TrialLog in
Avatar of Panos
PanosFlag for Germany

asked on

LogIn-set cookie-Autologin in coldfusion

Hello experts.
I have built a login page with Hash check,session user_id set and cookie set.
I want a help how the Autologin function  works (please write the code for this) and please check out if the code has mistakes or can be better.

<h3>LogInExample with Hash</h3>
<cfparam name="cookie.email" default="">
<cfparam name="cookie.password" default="">
<cfparam name="cookie.rememberme" default="">
<cfparam name="cookie.AutoLogIn" default="">
<!--- Do the following if the form is submitted. --->
<cfif IsDefined("Form.Email")>
   <!--- query the data base. ---> 
   <cfquery name = "CheckPerson" datasource = "#request.dsn#">
      SELECT Password ,email,user_ID
      FROM users
      WHERE email = <cfqueryparam value = "#Form.email#"
         cfsqltype = "CF_SQL_VARCHAR"> 
   </cfquery>
         
   <!--- Compare query PasswordHash field and the hashed form password
         and display the results. --->
   <cfoutput>
      <cfif Hash(Form.password, "SHA") is not checkperson.password>
         <cflocation url = "loginfailed.cfm">
      <cfelse>
         <cfset session.allowin = "True">
         <cfset session.user_id = CheckPerson.user_id>
         <cfif isdefined("Form.rememberme") AND Form.rememberme EQ 1>
         <cfcookie name="email" value="#form.email#" expires="never">
         <cfcookie name="password" value="#form.password#" expires="never">
         <cfcookie name="rememberme" value="#form.rememberme#" expires="never">
         <cfcookie name="AutoLogIn" value="#form.AutoLogIn#" expires="never">
         <cfelse>
         <cfcookie name="email" value='NULL' expires="now">
         <cfcookie name="password" value='NULL' expires="now">
         <cfcookie name="rememberme" value='NULL' expires="now">
         <cfcookie name="AutoLogIn" value='NULL' expires="now">
         </cfif>
         <cflocation url = "welcome.cfm">
      </cfif>
   </cfoutput>
</cfif>
 
<!--- Form for entering ID and password. --->
<form  name="LogIn" action="#CGI.SCRIPT_NAME#" method="post">
   <b>Email: </b>
   <input type = "text" name="email"  value="<cfoutput>#cookie.email#</cfoutput>"><br/><br/>
   <b>Password: </b>
   <input type = "text" name="password" value="<cfoutput>#cookie.password#</cfoutput>"><br/><br/>
   <b>Remember me:</b>
   <input name="rememberme" type="checkbox" value="1"
    <cfif (#cookie.rememberme# EQ 1)> checked="checked" </cfif> /><br /><br />
   <b>AutoLogIn:</b>
   <input name="AutoLogIn" type="checkbox" value="1" 
   <cfif (#cookie.AutoLogIn# EQ 1)> checked="checked" </cfif>/><br /><br />
   <input type = "Submit" value = "LogIn"  id="LogIn">
</form>

Open in new window

Avatar of js_vaughan
js_vaughan
First off, you dont need to save your password.  Your correctly have your cookies set only after the password has been confirmed, so you know cookies will only come from someone who already knows it.  For security purposes, do not save the password as a cookie - you dont need to - email is enough.

My second suggestion is to add an additional cookie AND database field to hold a date-time value.  Assign now() to a variable then distribute something like this :
<cfset myTimeVar="#now()#">
<cfcookie name="cookieTime" value="#myTimeVar#" expires="never">
<!--- insert myTimeVar to the database as well --->

This cookieTime will prevent the "remember me" from allowing unlimited access from multiple computers.  This, i believe, is extremely important in case a user accidentally clicks remember me from a public computer.  Example: User logs in at home when they wake up.  COOKIE.cookieTime and the DB timestamp are both set at Jan 1st 10am.  The next day User goes to a public computer, clicks remember me, so now the public COOKIE.cookieTime is set and the DB timestamp is overridden to Jan 2nd 1pm.  When user returns home and tries to login later that day, their COOKIE.cookietime still says Jan 1st 10am, but the database holds Jan 2nd 1pm (created from their time out in public)  Access is denied.  But no worry, user logs in again, clicks the remember me... and now his local cookie will say Jan 2nd 7pm and the DB timestamp is overwritted to hold the new Jan 2nd 7pm as well.  That potential security threat is gone because the public computer's cookie will say Jan 2nd 1pm, but the database will say Jan 2nd 7pm.  The public computer is no longer in sync and will not be able to reconnect.  Meanwhile, the user goes to sleep, wakes up, goes to their computer on Jan 3rd...  and both their cookie and DB timestamp will still be set to Jan 2nd 7pm... access is granted.

The final piece of the puzzle: how to handle the login.  I would recommend your application.cfc/cfm hold code similar to this ....
<!--- check if user is already logged in --->
<cfif NOT isDefined("session.allowin") OR session.allowin NEQ TRUE>
  <!--- if not, lets check for a cookie --->
  <cfif isDefined("COOKIE.AutoLogIn") AND isDefined("COOKIE.email")>
    <!--- check cookie against database --->
  <cfquery name="CheckPerson" datasource="#APPLICATION.datasource#">
    SELECT user_id
    FROM users
    WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
    AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#COOKIE.cookieTime#">
  </cfquery>
  <!--- if 1 record is found, we have a valid login --->
  <cfif CheckPerson.recordCount EQ 1>
    <cfset session.allowin = "True">
    <cfset session.user_id = CheckPerson.user_id>
    <cflocation url="welcome.cfm" addtoken="no">
  <cfelse>
    <!--- if we didnt find 1 record, something is wrong... remove the autologin --->
    <cfcookie name="AutoLogIn" expires="now">
    <cfinclude template="/login.cfm">
    <cfabort>
  </cfif>
  <cfelse>
    <!--- we didnt find a SESSION or COOKIE value that allows for login;  force login --->
  <cfinclude template="/login.cfm">
  <cfabort>
  </cfif>
</cfif>

Open in new window

Avatar of Panos
Panos
Flag of Germany image

ASKER

hi js_vaughan:
Thank you for your help.
Because  have an area for no registerd users and an area for registerd users i think i cannot use the code in the application cfm.
With your corrections can you please write the new loginpage?(i'm not sure i can do it myself)
Avatar of js_vaughan
js_vaughan
how do you currently handle redirecting users to the login page when non-registered users try to access those restricted pages?
Avatar of Panos
Panos
Flag of Germany image

ASKER

For example.
I have insert pages and when session.user_ID is 0 (default value) i use cflocation to login.cfm.If not i allow the page open.
(until now i did use the extension from webassist to handle all the security things but i want now to do this with hand coding)
SOLUTION
Avatar of duncancumming
duncancumming
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Panos
Panos
Flag of Germany image

ASKER

Thank you duncancumming
I have correct this now
Avatar of Panos
Panos
Flag of Germany image

ASKER

Hi js_vaughan again.
You say "...you dont need to save your password....".
I understand that it is not good for security reasons but does it work when i don't have a cookie for password?
The page will load and the email field will have the cookie value and the password nothing.
So i will not be able to login. or not?
Am i  missing something?....
And is this wrong to check out if the session.user_id is not 0?
In the application.cfm i have :<CFPARAM NAME="session.user_id"  type="numeric" DEFAULT="0">
SOLUTION
Avatar of js_vaughan
js_vaughan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Panos
Panos
Flag of Germany image

ASKER

Hi js_vaughan again.
While waiting for your login page i have done some corrections to my.
I understand now the autogin function.I can have this code in the top of my insert pages to allow or not the user to use the page(OR NOT???).
I don't know how to use the remember cookie.
Look at the register page ,application and the new login.I have there cfif tags they handle wich cookie will be created. 
register.cfm
<cfif IsDefined("Form.Register")>
 <cfquery name="usersemail" datasource="#request.dsn#">
    SELECT Email 
    FROM dbo.users 
    WHERE Email='#FORM.rEmail#'
  </cfquery>
  <cfif usersemail.RecordCount GTE 1>
<cflocation url="userexists.cfm?requsername=#FORM.rEmail#" addtoken="no">
 <cfelse>
<cfquery datasource="#request.dsn#">
INSERT INTO users (email, password,Firstname,Lastname)
VALUES (
<cfqueryparam value="#FORM.rEmail#" cfsqltype="cf_sql_clob" maxlength="255">, 
<cfqueryparam value="#Hash(Form.rPassword,"SHA")#" cfsqltype="cf_sql_clob" maxlength="255">,
<cfqueryparam value="#FORM.rFirstname#" cfsqltype="cf_sql_clob" maxlength="255">,
<cfqueryparam value="#FORM.rLastname#" cfsqltype="cf_sql_clob" maxlength="255">)
</cfquery>
<cflocation url="newuser.cfm">
</cfif>
</cfif>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
 
<body>
<form action="#CGI.SCRIPT_NAME#" method="post">
<b>Email:</b>
<input name="rEmail" type="text" size="30" maxlength="150" /><br /><br />
<b>Firstname:</b>
<input name="rFirstname" type="text" size="30" maxlength="150" /><br /><br />
<b>Lastname:</b>
<input name="rLastname" type="text" size="30" maxlength="150" /><br /><br />
<b>Password:</b>
<input name="rPassword" type="Password" size="30" maxlength="150" /><br /><br />
<input name="Register" type="submit" /></form>
</body>
</html>
 
login.cfm
<h3>LogInExample with Hash</h3>
<cfset myTimeVar="#now()#">
<cfparam name="cookie.lemail" default="">
<cfparam name="cookie.rememberme" default="">
<cfparam name="cookie.AutoLogIn" default="">
<cfparam name="cookie.cookietime" default="">
<cfparam name="form.rememberme" default="">
<cfparam name="form.AutoLogIn" default="">
<!--- Do the following if the form is submitted. --->
<cfif IsDefined("Form.lEmail")>
   <!--- query the data base. ---> 
   <cfquery name = "CheckPerson" datasource = "#request.dsn#">
      SELECT Password ,email,user_ID
      FROM users
      WHERE email = <cfqueryparam value = "#Form.lemail#" cfsqltype = "CF_SQL_VARCHAR"> 
      <cfif cookie.cookietime NEQ "">
      AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#COOKIE.cookieTime#">
      </cfif>
 
   </cfquery>
         
   <!--- Compare query PasswordHash field and the hashed form password
         and display the results. --->
   
      <cfif Hash(Form.lpassword, "SHA") is not checkperson.password>
         <cflocation url = "loginfailed.cfm">
      <cfelse>
         <cfset session.allowin = "True">
         <cfset session.user_id = CheckPerson.user_id>
         
         <cfquery name="LastLogIn" datasource="#request.dsn#">
         Update users
         SET LastLogIn = '#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "hh:mm:ss")#'
         WHERE user_Id = #session.user_Id#
         </cfquery>
         
         <cfif Form.rememberme EQ "" AND Form.AutoLogIn EQ 1>
         <cfcookie name="lemail" value="#form.lemail#" expires="never">
         <cfcookie name="AutoLogIn" value="#form.AutoLogIn#" expires="never">
         <cfcookie name="rememberme" value='NULL' expires="now">
         <cfcookie name="cookieTime" value="#myTimeVar#" expires="never">
         <cfquery name="q_cookietime" datasource="#request.dsn#">
         Update users
         SET Cookietime = '#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "hh:mm:ss")#'
         WHERE user_Id = #session.user_Id#
         </cfquery>
         
         <cfelseif Form.rememberme EQ 1 AND Form.AutoLogIn EQ "">
         <cfcookie name="lemail" value="#form.lemail#" expires="never">
         <cfcookie name="rememberme" value="#form.rememberme#" expires="never">
         <cfcookie name="AutoLogin" value='NULL' expires="now">
         <cfcookie name="cookieTime" value="#myTimeVar#" expires="never">
         <cfquery name="q_cookietime" datasource="#request.dsn#">
         Update users
         SET Cookietime = '#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "hh:mm:ss")#'
         WHERE user_Id = #session.user_Id#
         </cfquery>
         
         <cfelseif Form.rememberme EQ 1 AND Form.AutoLogIn EQ 1>
         <cfcookie name="lemail" value="#form.lemail#" expires="never">
         <cfcookie name="rememberme" value="#form.rememberme#" expires="never">
         <cfcookie name="AutoLogin" value="#form.AutoLogIn#" expires="never">
         <cfcookie name="cookieTime" value="#myTimeVar#" expires="never">
         <cfquery name="q_cookietime" datasource="#request.dsn#">
         Update users
         SET Cookietime = '#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "hh:mm:ss")#'
         WHERE user_Id = #session.user_Id#
         </cfquery>
         
         <cfelse>
         <cfcookie name="rememberme" value='NULL' expires="now">
         <cfcookie name="lemail" value='NULL' expires="now">
         <cfcookie name="AutoLogin" value='NULL' expires="now">
         <cfcookie name="cookietime" value='NULL' expires="now">
         </cfif>
     
         <cflocation url = "welcome.cfm">
      </cfif>
   
</cfif>
 
<!--- Form for entering ID and password. --->
<form  name="LogIn" action="#CGI.SCRIPT_NAME#" method="post">
   <b>Email: </b>
   <input type = "text" name="lemail"  value="<cfoutput>#cookie.lemail#</cfoutput>"><br/><br/>
   <b>Password: </b>
   <input type = "password" name="lpassword" value=""><br/><br/>
   <b>Remember me:</b>
   <input name="rememberme" type="checkbox" value="1"
    <cfif cookie.rememberme EQ 1> checked="checked" </cfif> /><br /><br />
    <b>AutoLogIn:</b>
    <input name="AutoLogIn" type="checkbox" value="1"
    <cfif cookie.AutoLogIn EQ 1> checked="checked" </cfif> /><br /><br />
   <input type = "Submit" value = "LogIn"  id="LogIn">
</form>
 
Application.cfm
<cfapplication name="market"  clientmanagement="Yes"
                    sessionmanagement="Yes"
                    sessiontimeout="#CreateTimeSpan(0,0,15,0)#"
                    applicationtimeout="#CreateTimeSpan(0,2,0,0)#">
<CFSET request.dsn = "myDB"> 
<CFPARAM NAME="session.allowin" DEFAULT="false">
<CFPARAM NAME="session.user_id"  type="numeric" DEFAULT="0">

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of js_vaughan
js_vaughan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Panos
Panos
Flag of Germany image

ASKER

Hi js_vaughan.
The only problem i have is that the query LastLogIn does not work.I can't get the cookietime and LastLogIn  in the DB and so i have  all the problems that have to do with this.The rest of the code is very good and is better than that what i have posted.
Because i had the error ....cannot convert the value "''" to a boolean....i did change your code:
<cfif Form.rememberme  OR Form.AutoLogIn> to <cfif Form.rememberme EQ 1  OR Form.AutoLogIn EQ 1>
<cfif Form.AutoLogIn> to <cfif Form.AutoLogIn EQ 1>
Avatar of js_vaughan
js_vaughan
Is it throwing an error?
Avatar of Panos
Panos
Flag of Germany image

ASKER

no
i have no error message now but as i the value don't get in the DB
Avatar of js_vaughan
js_vaughan
My mistake, try fixing this line :

WHERE user_Id = <cfqueryparam cfsqltype="cf_sql_integer" value="#session.user_Id#">

#session.user_Id# should be "CheckPerson.user_Id"

If the cookie value is still not being set, check if the lastlogin is being set atleast...
Avatar of Panos
Panos
Flag of Germany image

ASKER

Now it is passing the cookietime but as the two datetime forms are different the autologin cookie will be deleted.
The cookie datetime format is:2009-02-14 18:11:43
  and the DB value is :Feb 14 2009  6:11PM
SOLUTION
Avatar of js_vaughan
js_vaughan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Panos
Panos
Flag of Germany image

ASKER

Now i change the:<cfqueryparam cfsqltype="cf_sql_timestamp" value="#myTimeVar#"> to:
'#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "HH:mm:ss")#'
and have the same output but the autologin does not work.
Avatar of js_vaughan
js_vaughan
ok, lets do this... leave myTimeVar = now() like it was...

we will move the check elsewhere to take the database format completly out of the picture.

change these lines :

    <!--- check cookie against database --->
    <cfquery name="CheckPerson" datasource="#APPLICATION.datasource#">
        SELECT user_id
        FROM users
        WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
        AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#COOKIE.cookieTime#">
    </cfquery>
   
    <!--- if 1 record is found, we have a valid login --->
    <cfif CheckPerson.recordCount EQ 1>

to the lines below : 
    <!--- check cookie against database --->
    <cfquery name="CheckPerson" datasource="#APPLICATION.datasource#">
        SELECT CookieTime, user_id
        FROM users
        WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
        AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#COOKIE.cookieTime#">
    </cfquery>
	
	<!--- Make sure cookieTime's are in the same format --->
	<cfset VARIABLES.DBCookieTime = DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"hh:mm:ss")>
	<cfset VARIABLES.ClientCookieTime = DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"hh:mm:ss")>
    
    <!--- if 1 record is found, we have a valid login --->
    <cfif CheckPerson.recordCount EQ 1 AND VARIABLES.DBCookieTime EQ VARIABLES.ClientCookieTime>

Open in new window

Avatar of js_vaughan
js_vaughan
sorry, remove the "AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#COOKIE.cookieTime#">" also
    <!--- check cookie against database --->
    <cfquery name="CheckPerson" datasource="#APPLICATION.datasource#">
        SELECT CookieTime, user_id
        FROM users
        WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
    </cfquery>
	
	<!--- Make sure cookieTime's are in the same format --->
	<cfset VARIABLES.DBCookieTime = DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"hh:mm:ss")>
	<cfset VARIABLES.ClientCookieTime = DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"hh:mm:ss")>
    
    <!--- if 1 record is found, we have a valid login --->
    <cfif CheckPerson.recordCount EQ 1 AND VARIABLES.DBCookieTime EQ VARIABLES.ClientCookieTime>

Open in new window

Avatar of js_vaughan
js_vaughan
Sorry, im getting ahead of myself... give me a moment to test the code...
Avatar of Panos
Panos
Flag of Germany image

ASKER

Thank you very much for your help.
It is a very good tutorial!!!!
regards
Panos
Avatar of Panos
Panos
Flag of Germany image

ASKER

the <cfset VARIABLES.myTimeVar="#dateformat(now(),'mmm dd yyyy') & '  ' & timeformat(now(),'h:mmtt')#"> was ok.
I did not see this post that s why i did post my dateformat
Avatar of js_vaughan
js_vaughan
Yes, that last correction did test out for me:
<!--- check cookie against database --->
<cfquery name="CheckPerson" datasource="#APPLICATION.datasource#">
	SELECT CookieTime, user_id
	FROM users
	WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
</cfquery>
 
<!--- Make sure cookieTime's are in the same format --->
<cfset VARIABLES.DBCookieTime = DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"hh:mm:ss")>
<cfset VARIABLES.ClientCookieTime = DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"hh:mm:ss")>
 
<!--- if 1 record is found, we have a valid login --->
<cfif CheckPerson.recordCount EQ 1 AND VARIABLES.DBCookieTime EQ VARIABLES.ClientCookieTime>

Open in new window

Avatar of js_vaughan
js_vaughan
Gotcha,

either way you should probably follow this last routine, of leaving myTimeVar just equal to now().  The reason is that by making myTimeVar "mimic" the database, we are linking the two together closer than they should be.  If, for example, you switched to a different database, your cookies code would break.

Both solutions get the job done, but I think this last way does it better =)

Anyways, thanks for the points =)
Avatar of Panos
Panos
Flag of Germany image

ASKER

Hi js_vaughan
I had to come back because of this.
I checked the last code of you and it is not working.The reason is that after debbuging i found that the clientcookietime and the dbcookietime are not the same.They have 2-3 seconds difference.
For this output:
<cfif isdefined("CheckPerson.CookieTime")>
<cfoutput>#DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"HH:mm:ss")#</cfoutput></cfif><br />
<cfif isdefined("COOKIE.COOKIETIME")>
<cfoutput>#DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"HH:mm:ss")#</cfoutput></cfif><br />

i have this output  for example:
2009 02 1512:02:00
2009 02 1512:02:47


so i had to set again the myTimeVar to:
<cfset VARIABLES.myTimeVar="#dateformat(now(),'mmm dd yyyy') & '  ' & timeformat(now(),'h:mmtt')#">

This way i have the output like:
2009 02 1512:46:00
2009 02 1512:46:00

(What happens when i will login f.e at 12:46:59?will the dbcookietime be 12:47:01?)

I had to do something else too.
After autologin i did not get the new lastlogintime!!
So i had to put one new query for this.

The finally code is here.
Please can you check it?:


<cfparam name="VARIABLES.loginPassed" type="boolean" default="FALSE">
<cfset VARIABLES.myTimeVar="#dateformat(now(),'mmm dd yyyy') & '  ' & timeformat(now(),'h:mmtt')#">
<cfif session.allowin EQ TRUE>
 
    <!--- Fake a new login --->
    <cfset CheckPerson = StructNew()>
    <cfset CheckPerson.user_id = session.user_id>    
    <cfset VARIABLES.loginPassed = TRUE>
    
<!--- IF not, lets check for a cookie --->
<cfelseif isDefined("COOKIE.AutoLogIn") AND isDefined("COOKIE.lemail")>
 
    <!--- check cookie against database --->
    <cfquery name="CheckPerson" datasource="carfree24">
        SELECT user_id,Cookietime
        FROM users
        WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.lemail#">
    </cfquery>
    <!--- Make sure cookieTime's are in the same format --->
<cfset VARIABLES.DBCookieTime = DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"HH:mm:ss")>
<cfset VARIABLES.ClientCookieTime = DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"HH:mm:ss")>
 
    
    <!--- if 1 record is found, we have a valid login --->
<cfif CheckPerson.recordCount EQ 1 AND VARIABLES.DBCookieTime EQ VARIABLES.ClientCookieTime>
 
        <cfset VARIABLES.loginPassed = TRUE>
        
    <!--- if we didnt find 1 record, our cookie is out of sync... remove the autologin, and proceed to login --->
    <cfelse>
        <cfcookie name="AutoLogIn" expires="now">
    </cfif>
        
<!--- Do the following if the form is submitted. --->
<cfelseif IsDefined("Form.lEmail")>
    <cfset VARIABLES.hashedPass = Hash(Form.luserpassword, "SHA")>
    
    <!--- Create our checkboxs if they do not exist --->
    <cfparam name="form.rememberme" default="">
    <cfparam name="form.AutoLogIn" default="">
    
    <!--- query the data base. ---> 
    <cfquery name="CheckPerson" datasource="#request.dsn#">
        SELECT Password, email, user_ID
        FROM users
        WHERE email = <cfqueryparam value="#Form.lemail#" cfsqltype="CF_SQL_VARCHAR">
        AND Password = <cfqueryparam value="#VARIABLES.hashedPass#" cfsqltype="cf_sql_varchar">
    </cfquery>
    
    <!--- User is authorized from the form --->
    <cfif CheckPerson.recordCount EQ 1>
        <cfset VARIABLES.loginPassed = TRUE>
       <!---  <cfset myTimeVar="#now()#"> --->
        
        <!--- Handle cookies in all uppercase --->
        
        <!--- Check if rememberme or AutoLogIn hold positive values --->
        <cfif Form.rememberme EQ 1  OR Form.AutoLogIn EQ 1>
            <CFCOOKIE name="LEMAIL" value="#Form.lemail#" expires="never">
            <CFCOOKIE name="REMEMBERME" value="1" expires="never">
            
            <!--- if AutoLogIn, add login cookies --->
            <cfif Form.AutoLogIn EQ 1>
                <CFCOOKIE name="AUTOLOGIN" value="1" expires="never">
                <CFCOOKIE name="COOKIETIME" value="#myTimeVar#" expires="never">
            <cfelse>
                <CFCOOKIE name="AUTOLOGIN" expires="now">
                <CFCOOKIE name="COOKIETIME" expires="now">
            </cfif>
            
        <!--- Otherwise if user wishes to remain anonymous, remove these client cookies --->
        <cfelse>
            <CFCOOKIE name="LEMAIL" expires="now">
            <CFCOOKIE name="REMEMBERME" expires="now">
            <CFCOOKIE name="AUTOLOGIN" expires="now">
            <CFCOOKIE name="COOKIETIME" expires="now">
        </cfif>
        
        <!--- Handle database updates --->
        
        <cfquery name="setCookietime" datasource="#request.dsn#">
            Update users
            SET <cfif Form.AutoLogIn EQ 1>
            CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#myTimeVar#">,</cfif>
			LastLogIn = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#myTimeVar#">
			WHERE user_Id = <cfqueryparam cfsqltype="cf_sql_integer" value="#CheckPerson.user_Id#">
        </cfquery>
    
    <!--- User failed authorization from the form --->
    <cfelse>
        <cflocation url = "Login.cfm?Error=30" addtoken="no">
    </cfif>
</cfif>
 
<!--- If the user was authorized from any of the above steps, proceed with login --->
<cfif VARIABLES.loginPassed>
    <cfset session.allowin = "True">
    <cfset session.user_id = CheckPerson.user_id>
    <cfquery name="LastLogIn" datasource="#request.dsn#">
            Update users
            SET 
			LastLogIn = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#myTimeVar#">
			WHERE user_Id = <cfqueryparam cfsqltype="cf_sql_integer" value="#CheckPerson.user_Id#">
        </cfquery>
    <cflocation url="welcome.cfm" addtoken="no">
</cfif>
 
 
<form  name="LogIn" action="#CGI.SCRIPT_NAME#" method="post">
<input type = "text" name="lemail"  value="<cfif isdefined("cookie.lemail")><cfoutput>#cookie.lemail#</cfoutput></cfif>"/><br>
<input name="luserpassword" type="password"  value=""/><br>
<input name="rememberme" type="checkbox" value="1"
    <cfif isdefined("cookie.rememberme") AND cookie.rememberme EQ 1> checked="checked" </cfif>/><br>
<input name="AutoLogIn" type="checkbox" value="1"
    <cfif isdefined("cookie.AutoLogIn") AND cookie.AutoLogIn EQ 1> checked="checked" </cfif> /><br>
<input type = "Submit" value = "LogIn"  id="LogIn">
</form>

Open in new window