?
Solved

security

Posted on 2000-03-22
4
Medium Priority
?
153 Views
Last Modified: 2013-12-24
What is the best way to make a simple login form that verifies username, password and access level against an existing database? There are 5 levels of users. Each level of user gets sent to a different CF page within the site.
0
Comment
Question by:cfcode
4 Comments
 
LVL 5

Expert Comment

by:nathans
ID: 2646264

What are you wanting the CODE to do this or the way to do this???


0
 

Author Comment

by:cfcode
ID: 2646336
I am looking for the code to do this and/or some already existing custom tags that address this.
0
 
LVL 37

Expert Comment

by:meverest
ID: 2647549
make a table called users with:

username, password, securitylevel, startpage, (etc)

make auth.cfm like:

=======================================

<cfquery name=auth .. .. ..>
  select * from users where username='#form.username#' and password='#form.password#'
</cfquery>

<cfif auth.recordcount>
<cfset session.securitylevel=auth.securitylevel>

<cfset session.username=auth.username>

location.href="#auth.startpage#"

<cfelse>

Bad Password or unknown user

</cfif>

<cfif not isdefined('session.securitylevel')>

Please log in:<br>

<form action="auth.cfm" method="post">
Username: <input name=username><br>
Password: <input type=password name=password>
<input type=submit value="LOG IN">
</form>

</cfif>

=======================================

cheers.


0
 
LVL 6

Accepted Solution

by:
acampoma earned 100 total points
ID: 2649979
Here's what I did in my application.
I did not use any custom tags.

The best thing to do is draw this on paper as I describe it.

In my database, I set up 5 tables for this purpose. Table 1 called users  which contains userid, userdesc,password. Table 2 called groups contains groupid,groupdesc. Table 3 called accessareas contains accessareacode,accessareadesc.Table 4 called group users contains  userid which is a foreign key into table users and groupid which is a foregn key into table groups.This will contain info on who is in what group. Table 5 called groupacces contains groupid which is a foreign key into groups,accessareacode which is a forign key into accessareas ,and privilege.
This table holds all of the access areas and priviliges to each secirity area for the groups.


Heres how I implement my security.
The logon screen prompts for userid and password.
when they are entered I do two things.
1. I check directly into the users table to see if he is allowed into the system. if they are,step 2
otherwise prompt again.
2. once the user has been authenticated, I send a session cookie to the browser called userid which stores the clients userid .

Then I created a cold fusion template that checks to see if this cookie exists.
if it doessn't i post a message and a link to the logon screen and then use a cfabort top stop the operation.

I call this template using cfinclude in all of my other templates so that if a person would just type in the url without being logged on, he would not be allowed to proceed.

Now here come the tricky part.
This takes some planning and will determine how you set up your application.
Usually I'll designate an access area to one form with seveal levels of access
(actually, each form has to correspond with an accessarea!!)
at the begining of each template,
after checking if the userid cookie exists,
I take the value of cookie.userid and do a query on the other tables.
ex.
select accessarecode,privilige from groupaccess where groupid in (select groupid from groupusers where userid='#cookie.userid'#)

then I run through the recordset to find the accessarea and privilige for the corresponding template.
if the accessarea is found, he the user can proceed and the privilige is used throughout the template to show or hide different areas.
If the accessare is not there I use a cfabort to pevent the rest of the template from loading and give the user the option to go back.

I hope this helps you out.
Alex

0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month16 days, 3 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question