Panos
asked on
LogIn-set cookie-Autologin in coldfusion
Hello experts.
I have built a login page with Hash check,session user_id set and cookie set.
I want a help how the Autologin function works (please write the code for this) and please check out if the code has mistakes or can be better.
I have built a login page with Hash check,session user_id set and cookie set.
I want a help how the Autologin function works (please write the code for this) and please check out if the code has mistakes or can be better.
<h3>LogInExample with Hash</h3>
<cfparam name="cookie.email" default="">
<cfparam name="cookie.password" default="">
<cfparam name="cookie.rememberme" default="">
<cfparam name="cookie.AutoLogIn" default="">
<!--- Do the following if the form is submitted. --->
<cfif IsDefined("Form.Email")>
<!--- query the data base. --->
<cfquery name = "CheckPerson" datasource = "#request.dsn#">
SELECT Password ,email,user_ID
FROM users
WHERE email = <cfqueryparam value = "#Form.email#"
cfsqltype = "CF_SQL_VARCHAR">
</cfquery>
<!--- Compare query PasswordHash field and the hashed form password
and display the results. --->
<cfoutput>
<cfif Hash(Form.password, "SHA") is not checkperson.password>
<cflocation url = "loginfailed.cfm">
<cfelse>
<cfset session.allowin = "True">
<cfset session.user_id = CheckPerson.user_id>
<cfif isdefined("Form.rememberme") AND Form.rememberme EQ 1>
<cfcookie name="email" value="#form.email#" expires="never">
<cfcookie name="password" value="#form.password#" expires="never">
<cfcookie name="rememberme" value="#form.rememberme#" expires="never">
<cfcookie name="AutoLogIn" value="#form.AutoLogIn#" expires="never">
<cfelse>
<cfcookie name="email" value='NULL' expires="now">
<cfcookie name="password" value='NULL' expires="now">
<cfcookie name="rememberme" value='NULL' expires="now">
<cfcookie name="AutoLogIn" value='NULL' expires="now">
</cfif>
<cflocation url = "welcome.cfm">
</cfif>
</cfoutput>
</cfif>
<!--- Form for entering ID and password. --->
<form name="LogIn" action="#CGI.SCRIPT_NAME#" method="post">
<b>Email: </b>
<input type = "text" name="email" value="<cfoutput>#cookie.email#</cfoutput>"><br/><br/>
<b>Password: </b>
<input type = "text" name="password" value="<cfoutput>#cookie.password#</cfoutput>"><br/><br/>
<b>Remember me:</b>
<input name="rememberme" type="checkbox" value="1"
<cfif (#cookie.rememberme# EQ 1)> checked="checked" </cfif> /><br /><br />
<b>AutoLogIn:</b>
<input name="AutoLogIn" type="checkbox" value="1"
<cfif (#cookie.AutoLogIn# EQ 1)> checked="checked" </cfif>/><br /><br />
<input type = "Submit" value = "LogIn" id="LogIn">
</form>
ASKER
hi js_vaughan:
Thank you for your help.
Because have an area for no registerd users and an area for registerd users i think i cannot use the code in the application cfm.
With your corrections can you please write the new loginpage?(i'm not sure i can do it myself)
Thank you for your help.
Because have an area for no registerd users and an area for registerd users i think i cannot use the code in the application cfm.
With your corrections can you please write the new loginpage?(i'm not sure i can do it myself)
how do you currently handle redirecting users to the login page when non-registered users try to access those restricted pages?
ASKER
For example.
I have insert pages and when session.user_ID is 0 (default value) i use cflocation to login.cfm.If not i allow the page open.
(until now i did use the extension from webassist to handle all the security things but i want now to do this with hand coding)
I have insert pages and when session.user_ID is 0 (default value) i use cflocation to login.cfm.If not i allow the page open.
(until now i did use the extension from webassist to handle all the security things but i want now to do this with hand coding)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you duncancumming
I have correct this now
I have correct this now
ASKER
Hi js_vaughan again.
You say "...you dont need to save your password....".
I understand that it is not good for security reasons but does it work when i don't have a cookie for password?
The page will load and the email field will have the cookie value and the password nothing.
So i will not be able to login. or not?
Am i missing something?....
And is this wrong to check out if the session.user_id is not 0?
In the application.cfm i have :<CFPARAM NAME="session.user_id" type="numeric" DEFAULT="0">
You say "...you dont need to save your password....".
I understand that it is not good for security reasons but does it work when i don't have a cookie for password?
The page will load and the email field will have the cookie value and the password nothing.
So i will not be able to login. or not?
Am i missing something?....
And is this wrong to check out if the session.user_id is not 0?
In the application.cfm i have :<CFPARAM NAME="session.user_id" type="numeric" DEFAULT="0">
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi js_vaughan again.
While waiting for your login page i have done some corrections to my.
I understand now the autogin function.I can have this code in the top of my insert pages to allow or not the user to use the page(OR NOT???).
I don't know how to use the remember cookie.
Look at the register page ,application and the new login.I have there cfif tags they handle wich cookie will be created.
While waiting for your login page i have done some corrections to my.
I understand now the autogin function.I can have this code in the top of my insert pages to allow or not the user to use the page(OR NOT???).
I don't know how to use the remember cookie.
Look at the register page ,application and the new login.I have there cfif tags they handle wich cookie will be created.
register.cfm
<cfif IsDefined("Form.Register")>
<cfquery name="usersemail" datasource="#request.dsn#">
SELECT Email
FROM dbo.users
WHERE Email='#FORM.rEmail#'
</cfquery>
<cfif usersemail.RecordCount GTE 1>
<cflocation url="userexists.cfm?requsername=#FORM.rEmail#" addtoken="no">
<cfelse>
<cfquery datasource="#request.dsn#">
INSERT INTO users (email, password,Firstname,Lastname)
VALUES (
<cfqueryparam value="#FORM.rEmail#" cfsqltype="cf_sql_clob" maxlength="255">,
<cfqueryparam value="#Hash(Form.rPassword,"SHA")#" cfsqltype="cf_sql_clob" maxlength="255">,
<cfqueryparam value="#FORM.rFirstname#" cfsqltype="cf_sql_clob" maxlength="255">,
<cfqueryparam value="#FORM.rLastname#" cfsqltype="cf_sql_clob" maxlength="255">)
</cfquery>
<cflocation url="newuser.cfm">
</cfif>
</cfif>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<form action="#CGI.SCRIPT_NAME#" method="post">
<b>Email:</b>
<input name="rEmail" type="text" size="30" maxlength="150" /><br /><br />
<b>Firstname:</b>
<input name="rFirstname" type="text" size="30" maxlength="150" /><br /><br />
<b>Lastname:</b>
<input name="rLastname" type="text" size="30" maxlength="150" /><br /><br />
<b>Password:</b>
<input name="rPassword" type="Password" size="30" maxlength="150" /><br /><br />
<input name="Register" type="submit" /></form>
</body>
</html>
login.cfm
<h3>LogInExample with Hash</h3>
<cfset myTimeVar="#now()#">
<cfparam name="cookie.lemail" default="">
<cfparam name="cookie.rememberme" default="">
<cfparam name="cookie.AutoLogIn" default="">
<cfparam name="cookie.cookietime" default="">
<cfparam name="form.rememberme" default="">
<cfparam name="form.AutoLogIn" default="">
<!--- Do the following if the form is submitted. --->
<cfif IsDefined("Form.lEmail")>
<!--- query the data base. --->
<cfquery name = "CheckPerson" datasource = "#request.dsn#">
SELECT Password ,email,user_ID
FROM users
WHERE email = <cfqueryparam value = "#Form.lemail#" cfsqltype = "CF_SQL_VARCHAR">
<cfif cookie.cookietime NEQ "">
AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#COOKIE.cookieTime#">
</cfif>
</cfquery>
<!--- Compare query PasswordHash field and the hashed form password
and display the results. --->
<cfif Hash(Form.lpassword, "SHA") is not checkperson.password>
<cflocation url = "loginfailed.cfm">
<cfelse>
<cfset session.allowin = "True">
<cfset session.user_id = CheckPerson.user_id>
<cfquery name="LastLogIn" datasource="#request.dsn#">
Update users
SET LastLogIn = '#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "hh:mm:ss")#'
WHERE user_Id = #session.user_Id#
</cfquery>
<cfif Form.rememberme EQ "" AND Form.AutoLogIn EQ 1>
<cfcookie name="lemail" value="#form.lemail#" expires="never">
<cfcookie name="AutoLogIn" value="#form.AutoLogIn#" expires="never">
<cfcookie name="rememberme" value='NULL' expires="now">
<cfcookie name="cookieTime" value="#myTimeVar#" expires="never">
<cfquery name="q_cookietime" datasource="#request.dsn#">
Update users
SET Cookietime = '#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "hh:mm:ss")#'
WHERE user_Id = #session.user_Id#
</cfquery>
<cfelseif Form.rememberme EQ 1 AND Form.AutoLogIn EQ "">
<cfcookie name="lemail" value="#form.lemail#" expires="never">
<cfcookie name="rememberme" value="#form.rememberme#" expires="never">
<cfcookie name="AutoLogin" value='NULL' expires="now">
<cfcookie name="cookieTime" value="#myTimeVar#" expires="never">
<cfquery name="q_cookietime" datasource="#request.dsn#">
Update users
SET Cookietime = '#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "hh:mm:ss")#'
WHERE user_Id = #session.user_Id#
</cfquery>
<cfelseif Form.rememberme EQ 1 AND Form.AutoLogIn EQ 1>
<cfcookie name="lemail" value="#form.lemail#" expires="never">
<cfcookie name="rememberme" value="#form.rememberme#" expires="never">
<cfcookie name="AutoLogin" value="#form.AutoLogIn#" expires="never">
<cfcookie name="cookieTime" value="#myTimeVar#" expires="never">
<cfquery name="q_cookietime" datasource="#request.dsn#">
Update users
SET Cookietime = '#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "hh:mm:ss")#'
WHERE user_Id = #session.user_Id#
</cfquery>
<cfelse>
<cfcookie name="rememberme" value='NULL' expires="now">
<cfcookie name="lemail" value='NULL' expires="now">
<cfcookie name="AutoLogin" value='NULL' expires="now">
<cfcookie name="cookietime" value='NULL' expires="now">
</cfif>
<cflocation url = "welcome.cfm">
</cfif>
</cfif>
<!--- Form for entering ID and password. --->
<form name="LogIn" action="#CGI.SCRIPT_NAME#" method="post">
<b>Email: </b>
<input type = "text" name="lemail" value="<cfoutput>#cookie.lemail#</cfoutput>"><br/><br/>
<b>Password: </b>
<input type = "password" name="lpassword" value=""><br/><br/>
<b>Remember me:</b>
<input name="rememberme" type="checkbox" value="1"
<cfif cookie.rememberme EQ 1> checked="checked" </cfif> /><br /><br />
<b>AutoLogIn:</b>
<input name="AutoLogIn" type="checkbox" value="1"
<cfif cookie.AutoLogIn EQ 1> checked="checked" </cfif> /><br /><br />
<input type = "Submit" value = "LogIn" id="LogIn">
</form>
Application.cfm
<cfapplication name="market" clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#CreateTimeSpan(0,0,15,0)#"
applicationtimeout="#CreateTimeSpan(0,2,0,0)#">
<CFSET request.dsn = "myDB">
<CFPARAM NAME="session.allowin" DEFAULT="false">
<CFPARAM NAME="session.user_id" type="numeric" DEFAULT="0">
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi js_vaughan.
The only problem i have is that the query LastLogIn does not work.I can't get the cookietime and LastLogIn in the DB and so i have all the problems that have to do with this.The rest of the code is very good and is better than that what i have posted.
Because i had the error ....cannot convert the value "''" to a boolean....i did change your code:
<cfif Form.rememberme OR Form.AutoLogIn> to <cfif Form.rememberme EQ 1 OR Form.AutoLogIn EQ 1>
<cfif Form.AutoLogIn> to <cfif Form.AutoLogIn EQ 1>
The only problem i have is that the query LastLogIn does not work.I can't get the cookietime and LastLogIn in the DB and so i have all the problems that have to do with this.The rest of the code is very good and is better than that what i have posted.
Because i had the error ....cannot convert the value "''" to a boolean....i did change your code:
<cfif Form.rememberme OR Form.AutoLogIn> to <cfif Form.rememberme EQ 1 OR Form.AutoLogIn EQ 1>
<cfif Form.AutoLogIn> to <cfif Form.AutoLogIn EQ 1>
Is it throwing an error?
ASKER
no
i have no error message now but as i the value don't get in the DB
i have no error message now but as i the value don't get in the DB
My mistake, try fixing this line :
WHERE user_Id = <cfqueryparam cfsqltype="cf_sql_integer" value="#session.user_Id#">
#session.user_Id# should be "CheckPerson.user_Id"
If the cookie value is still not being set, check if the lastlogin is being set atleast...
WHERE user_Id = <cfqueryparam cfsqltype="cf_sql_integer"
#session.user_Id# should be "CheckPerson.user_Id"
If the cookie value is still not being set, check if the lastlogin is being set atleast...
ASKER
Now it is passing the cookietime but as the two datetime forms are different the autologin cookie will be deleted.
The cookie datetime format is:2009-02-14 18:11:43
and the DB value is :Feb 14 2009 6:11PM
The cookie datetime format is:2009-02-14 18:11:43
and the DB value is :Feb 14 2009 6:11PM
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Now i change the:<cfqueryparam cfsqltype="cf_sql_timestam p" value="#myTimeVar#"> to:
'#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "HH:mm:ss")#'
and have the same output but the autologin does not work.
'#DateFormat(myTimeVar, "yyyy-mm-dd")# #TimeFormat(myTimeVar, "HH:mm:ss")#'
and have the same output but the autologin does not work.
ok, lets do this... leave myTimeVar = now() like it was...
we will move the check elsewhere to take the database format completly out of the picture.
change these lines :
<!--- check cookie against database --->
<cfquery name="CheckPerson" datasource="#APPLICATION.d atasource# ">
SELECT user_id
FROM users
WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestam p" value="#COOKIE.cookieTime# ">
</cfquery>
<!--- if 1 record is found, we have a valid login --->
<cfif CheckPerson.recordCount EQ 1>
to the lines below :
we will move the check elsewhere to take the database format completly out of the picture.
change these lines :
<!--- check cookie against database --->
<cfquery name="CheckPerson" datasource="#APPLICATION.d
SELECT user_id
FROM users
WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar"
AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestam
</cfquery>
<!--- if 1 record is found, we have a valid login --->
<cfif CheckPerson.recordCount EQ 1>
to the lines below :
<!--- check cookie against database --->
<cfquery name="CheckPerson" datasource="#APPLICATION.datasource#">
SELECT CookieTime, user_id
FROM users
WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#COOKIE.cookieTime#">
</cfquery>
<!--- Make sure cookieTime's are in the same format --->
<cfset VARIABLES.DBCookieTime = DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"hh:mm:ss")>
<cfset VARIABLES.ClientCookieTime = DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"hh:mm:ss")>
<!--- if 1 record is found, we have a valid login --->
<cfif CheckPerson.recordCount EQ 1 AND VARIABLES.DBCookieTime EQ VARIABLES.ClientCookieTime>
sorry, remove the "AND CookieTime = <cfqueryparam cfsqltype="cf_sql_timestam p" value="#COOKIE.cookieTime# ">" also
<!--- check cookie against database --->
<cfquery name="CheckPerson" datasource="#APPLICATION.datasource#">
SELECT CookieTime, user_id
FROM users
WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
</cfquery>
<!--- Make sure cookieTime's are in the same format --->
<cfset VARIABLES.DBCookieTime = DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"hh:mm:ss")>
<cfset VARIABLES.ClientCookieTime = DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"hh:mm:ss")>
<!--- if 1 record is found, we have a valid login --->
<cfif CheckPerson.recordCount EQ 1 AND VARIABLES.DBCookieTime EQ VARIABLES.ClientCookieTime>
Sorry, im getting ahead of myself... give me a moment to test the code...
ASKER
Thank you very much for your help.
It is a very good tutorial!!!!
regards
Panos
It is a very good tutorial!!!!
regards
Panos
ASKER
the <cfset VARIABLES.myTimeVar="#date format(now (),'mmm dd yyyy') & ' ' & timeformat(now(),'h:mmtt') #"> was ok.
I did not see this post that s why i did post my dateformat
I did not see this post that s why i did post my dateformat
Yes, that last correction did test out for me:
<!--- check cookie against database --->
<cfquery name="CheckPerson" datasource="#APPLICATION.datasource#">
SELECT CookieTime, user_id
FROM users
WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.email#">
</cfquery>
<!--- Make sure cookieTime's are in the same format --->
<cfset VARIABLES.DBCookieTime = DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"hh:mm:ss")>
<cfset VARIABLES.ClientCookieTime = DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"hh:mm:ss")>
<!--- if 1 record is found, we have a valid login --->
<cfif CheckPerson.recordCount EQ 1 AND VARIABLES.DBCookieTime EQ VARIABLES.ClientCookieTime>
Gotcha,
either way you should probably follow this last routine, of leaving myTimeVar just equal to now(). The reason is that by making myTimeVar "mimic" the database, we are linking the two together closer than they should be. If, for example, you switched to a different database, your cookies code would break.
Both solutions get the job done, but I think this last way does it better =)
Anyways, thanks for the points =)
either way you should probably follow this last routine, of leaving myTimeVar just equal to now(). The reason is that by making myTimeVar "mimic" the database, we are linking the two together closer than they should be. If, for example, you switched to a different database, your cookies code would break.
Both solutions get the job done, but I think this last way does it better =)
Anyways, thanks for the points =)
ASKER
Hi js_vaughan
I had to come back because of this.
I checked the last code of you and it is not working.The reason is that after debbuging i found that the clientcookietime and the dbcookietime are not the same.They have 2-3 seconds difference.
For this output:
<cfif isdefined("CheckPerson.Coo kieTime")>
<cfoutput>#DateFormat(Chec kPerson.Co okieTime," yyyy mm dd") & TimeFormat(CheckPerson.Coo kieTime,"H H:mm:ss")# </cfoutput ></cfif><b r />
<cfif isdefined("COOKIE.COOKIETI ME")>
<cfoutput>#DateFormat(COOK IE.COOKIET IME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETI ME,"HH:mm: ss")#</cfo utput></cf if><br />
i have this output for example:
2009 02 1512:02:00
2009 02 1512:02:47
so i had to set again the myTimeVar to:
<cfset VARIABLES.myTimeVar="#date format(now (),'mmm dd yyyy') & ' ' & timeformat(now(),'h:mmtt') #">
This way i have the output like:
2009 02 1512:46:00
2009 02 1512:46:00
(What happens when i will login f.e at 12:46:59?will the dbcookietime be 12:47:01?)
I had to do something else too.
After autologin i did not get the new lastlogintime!!
So i had to put one new query for this.
The finally code is here.
Please can you check it?:
I had to come back because of this.
I checked the last code of you and it is not working.The reason is that after debbuging i found that the clientcookietime and the dbcookietime are not the same.They have 2-3 seconds difference.
For this output:
<cfif isdefined("CheckPerson.Coo
<cfoutput>#DateFormat(Chec
<cfif isdefined("COOKIE.COOKIETI
<cfoutput>#DateFormat(COOK
i have this output for example:
2009 02 1512:02:00
2009 02 1512:02:47
so i had to set again the myTimeVar to:
<cfset VARIABLES.myTimeVar="#date
This way i have the output like:
2009 02 1512:46:00
2009 02 1512:46:00
(What happens when i will login f.e at 12:46:59?will the dbcookietime be 12:47:01?)
I had to do something else too.
After autologin i did not get the new lastlogintime!!
So i had to put one new query for this.
The finally code is here.
Please can you check it?:
<cfparam name="VARIABLES.loginPassed" type="boolean" default="FALSE">
<cfset VARIABLES.myTimeVar="#dateformat(now(),'mmm dd yyyy') & ' ' & timeformat(now(),'h:mmtt')#">
<cfif session.allowin EQ TRUE>
<!--- Fake a new login --->
<cfset CheckPerson = StructNew()>
<cfset CheckPerson.user_id = session.user_id>
<cfset VARIABLES.loginPassed = TRUE>
<!--- IF not, lets check for a cookie --->
<cfelseif isDefined("COOKIE.AutoLogIn") AND isDefined("COOKIE.lemail")>
<!--- check cookie against database --->
<cfquery name="CheckPerson" datasource="carfree24">
SELECT user_id,Cookietime
FROM users
WHERE Email = <cfqueryparam cfsqltype="cf_sql_varchar" value="#COOKIE.lemail#">
</cfquery>
<!--- Make sure cookieTime's are in the same format --->
<cfset VARIABLES.DBCookieTime = DateFormat(CheckPerson.CookieTime,"yyyy mm dd") & TimeFormat(CheckPerson.CookieTime,"HH:mm:ss")>
<cfset VARIABLES.ClientCookieTime = DateFormat(COOKIE.COOKIETIME,"yyyy mm dd") & TimeFormat(COOKIE.COOKIETIME,"HH:mm:ss")>
<!--- if 1 record is found, we have a valid login --->
<cfif CheckPerson.recordCount EQ 1 AND VARIABLES.DBCookieTime EQ VARIABLES.ClientCookieTime>
<cfset VARIABLES.loginPassed = TRUE>
<!--- if we didnt find 1 record, our cookie is out of sync... remove the autologin, and proceed to login --->
<cfelse>
<cfcookie name="AutoLogIn" expires="now">
</cfif>
<!--- Do the following if the form is submitted. --->
<cfelseif IsDefined("Form.lEmail")>
<cfset VARIABLES.hashedPass = Hash(Form.luserpassword, "SHA")>
<!--- Create our checkboxs if they do not exist --->
<cfparam name="form.rememberme" default="">
<cfparam name="form.AutoLogIn" default="">
<!--- query the data base. --->
<cfquery name="CheckPerson" datasource="#request.dsn#">
SELECT Password, email, user_ID
FROM users
WHERE email = <cfqueryparam value="#Form.lemail#" cfsqltype="CF_SQL_VARCHAR">
AND Password = <cfqueryparam value="#VARIABLES.hashedPass#" cfsqltype="cf_sql_varchar">
</cfquery>
<!--- User is authorized from the form --->
<cfif CheckPerson.recordCount EQ 1>
<cfset VARIABLES.loginPassed = TRUE>
<!--- <cfset myTimeVar="#now()#"> --->
<!--- Handle cookies in all uppercase --->
<!--- Check if rememberme or AutoLogIn hold positive values --->
<cfif Form.rememberme EQ 1 OR Form.AutoLogIn EQ 1>
<CFCOOKIE name="LEMAIL" value="#Form.lemail#" expires="never">
<CFCOOKIE name="REMEMBERME" value="1" expires="never">
<!--- if AutoLogIn, add login cookies --->
<cfif Form.AutoLogIn EQ 1>
<CFCOOKIE name="AUTOLOGIN" value="1" expires="never">
<CFCOOKIE name="COOKIETIME" value="#myTimeVar#" expires="never">
<cfelse>
<CFCOOKIE name="AUTOLOGIN" expires="now">
<CFCOOKIE name="COOKIETIME" expires="now">
</cfif>
<!--- Otherwise if user wishes to remain anonymous, remove these client cookies --->
<cfelse>
<CFCOOKIE name="LEMAIL" expires="now">
<CFCOOKIE name="REMEMBERME" expires="now">
<CFCOOKIE name="AUTOLOGIN" expires="now">
<CFCOOKIE name="COOKIETIME" expires="now">
</cfif>
<!--- Handle database updates --->
<cfquery name="setCookietime" datasource="#request.dsn#">
Update users
SET <cfif Form.AutoLogIn EQ 1>
CookieTime = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#myTimeVar#">,</cfif>
LastLogIn = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#myTimeVar#">
WHERE user_Id = <cfqueryparam cfsqltype="cf_sql_integer" value="#CheckPerson.user_Id#">
</cfquery>
<!--- User failed authorization from the form --->
<cfelse>
<cflocation url = "Login.cfm?Error=30" addtoken="no">
</cfif>
</cfif>
<!--- If the user was authorized from any of the above steps, proceed with login --->
<cfif VARIABLES.loginPassed>
<cfset session.allowin = "True">
<cfset session.user_id = CheckPerson.user_id>
<cfquery name="LastLogIn" datasource="#request.dsn#">
Update users
SET
LastLogIn = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#myTimeVar#">
WHERE user_Id = <cfqueryparam cfsqltype="cf_sql_integer" value="#CheckPerson.user_Id#">
</cfquery>
<cflocation url="welcome.cfm" addtoken="no">
</cfif>
<form name="LogIn" action="#CGI.SCRIPT_NAME#" method="post">
<input type = "text" name="lemail" value="<cfif isdefined("cookie.lemail")><cfoutput>#cookie.lemail#</cfoutput></cfif>"/><br>
<input name="luserpassword" type="password" value=""/><br>
<input name="rememberme" type="checkbox" value="1"
<cfif isdefined("cookie.rememberme") AND cookie.rememberme EQ 1> checked="checked" </cfif>/><br>
<input name="AutoLogIn" type="checkbox" value="1"
<cfif isdefined("cookie.AutoLogIn") AND cookie.AutoLogIn EQ 1> checked="checked" </cfif> /><br>
<input type = "Submit" value = "LogIn" id="LogIn">
</form>
My second suggestion is to add an additional cookie AND database field to hold a date-time value. Assign now() to a variable then distribute something like this :
<cfset myTimeVar="#now()#">
<cfcookie name="cookieTime" value="#myTimeVar#" expires="never">
<!--- insert myTimeVar to the database as well --->
This cookieTime will prevent the "remember me" from allowing unlimited access from multiple computers. This, i believe, is extremely important in case a user accidentally clicks remember me from a public computer. Example: User logs in at home when they wake up. COOKIE.cookieTime and the DB timestamp are both set at Jan 1st 10am. The next day User goes to a public computer, clicks remember me, so now the public COOKIE.cookieTime is set and the DB timestamp is overridden to Jan 2nd 1pm. When user returns home and tries to login later that day, their COOKIE.cookietime still says Jan 1st 10am, but the database holds Jan 2nd 1pm (created from their time out in public) Access is denied. But no worry, user logs in again, clicks the remember me... and now his local cookie will say Jan 2nd 7pm and the DB timestamp is overwritted to hold the new Jan 2nd 7pm as well. That potential security threat is gone because the public computer's cookie will say Jan 2nd 1pm, but the database will say Jan 2nd 7pm. The public computer is no longer in sync and will not be able to reconnect. Meanwhile, the user goes to sleep, wakes up, goes to their computer on Jan 3rd... and both their cookie and DB timestamp will still be set to Jan 2nd 7pm... access is granted.
The final piece of the puzzle: how to handle the login. I would recommend your application.cfc/cfm hold code similar to this ....
Open in new window