Solved

security

Posted on 2000-03-22
4
138 Views
Last Modified: 2013-12-24
What is the best way to make a simple login form that verifies username, password and access level against an existing database? There are 5 levels of users. Each level of user gets sent to a different CF page within the site.
0
Comment
Question by:cfcode
4 Comments
 
LVL 5

Expert Comment

by:nathans
ID: 2646264

What are you wanting the CODE to do this or the way to do this???


0
 

Author Comment

by:cfcode
ID: 2646336
I am looking for the code to do this and/or some already existing custom tags that address this.
0
 
LVL 37

Expert Comment

by:meverest
ID: 2647549
make a table called users with:

username, password, securitylevel, startpage, (etc)

make auth.cfm like:

=======================================

<cfquery name=auth .. .. ..>
  select * from users where username='#form.username#' and password='#form.password#'
</cfquery>

<cfif auth.recordcount>
<cfset session.securitylevel=auth.securitylevel>

<cfset session.username=auth.username>

location.href="#auth.startpage#"

<cfelse>

Bad Password or unknown user

</cfif>

<cfif not isdefined('session.securitylevel')>

Please log in:<br>

<form action="auth.cfm" method="post">
Username: <input name=username><br>
Password: <input type=password name=password>
<input type=submit value="LOG IN">
</form>

</cfif>

=======================================

cheers.


0
 
LVL 6

Accepted Solution

by:
acampoma earned 50 total points
ID: 2649979
Here's what I did in my application.
I did not use any custom tags.

The best thing to do is draw this on paper as I describe it.

In my database, I set up 5 tables for this purpose. Table 1 called users  which contains userid, userdesc,password. Table 2 called groups contains groupid,groupdesc. Table 3 called accessareas contains accessareacode,accessareadesc.Table 4 called group users contains  userid which is a foreign key into table users and groupid which is a foregn key into table groups.This will contain info on who is in what group. Table 5 called groupacces contains groupid which is a foreign key into groups,accessareacode which is a forign key into accessareas ,and privilege.
This table holds all of the access areas and priviliges to each secirity area for the groups.


Heres how I implement my security.
The logon screen prompts for userid and password.
when they are entered I do two things.
1. I check directly into the users table to see if he is allowed into the system. if they are,step 2
otherwise prompt again.
2. once the user has been authenticated, I send a session cookie to the browser called userid which stores the clients userid .

Then I created a cold fusion template that checks to see if this cookie exists.
if it doessn't i post a message and a link to the logon screen and then use a cfabort top stop the operation.

I call this template using cfinclude in all of my other templates so that if a person would just type in the url without being logged on, he would not be allowed to proceed.

Now here come the tricky part.
This takes some planning and will determine how you set up your application.
Usually I'll designate an access area to one form with seveal levels of access
(actually, each form has to correspond with an accessarea!!)
at the begining of each template,
after checking if the userid cookie exists,
I take the value of cookie.userid and do a query on the other tables.
ex.
select accessarecode,privilige from groupaccess where groupid in (select groupid from groupusers where userid='#cookie.userid'#)

then I run through the recordset to find the accessarea and privilige for the corresponding template.
if the accessarea is found, he the user can proceed and the privilige is used throughout the template to show or hide different areas.
If the accessare is not there I use a cfabort to pevent the rest of the template from loading and give the user the option to go back.

I hope this helps you out.
Alex

0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question