Solved

security

Posted on 2000-03-22
4
141 Views
Last Modified: 2013-12-24
What is the best way to make a simple login form that verifies username, password and access level against an existing database? There are 5 levels of users. Each level of user gets sent to a different CF page within the site.
0
Comment
Question by:cfcode
4 Comments
 
LVL 5

Expert Comment

by:nathans
ID: 2646264

What are you wanting the CODE to do this or the way to do this???


0
 

Author Comment

by:cfcode
ID: 2646336
I am looking for the code to do this and/or some already existing custom tags that address this.
0
 
LVL 37

Expert Comment

by:meverest
ID: 2647549
make a table called users with:

username, password, securitylevel, startpage, (etc)

make auth.cfm like:

=======================================

<cfquery name=auth .. .. ..>
  select * from users where username='#form.username#' and password='#form.password#'
</cfquery>

<cfif auth.recordcount>
<cfset session.securitylevel=auth.securitylevel>

<cfset session.username=auth.username>

location.href="#auth.startpage#"

<cfelse>

Bad Password or unknown user

</cfif>

<cfif not isdefined('session.securitylevel')>

Please log in:<br>

<form action="auth.cfm" method="post">
Username: <input name=username><br>
Password: <input type=password name=password>
<input type=submit value="LOG IN">
</form>

</cfif>

=======================================

cheers.


0
 
LVL 6

Accepted Solution

by:
acampoma earned 50 total points
ID: 2649979
Here's what I did in my application.
I did not use any custom tags.

The best thing to do is draw this on paper as I describe it.

In my database, I set up 5 tables for this purpose. Table 1 called users  which contains userid, userdesc,password. Table 2 called groups contains groupid,groupdesc. Table 3 called accessareas contains accessareacode,accessareadesc.Table 4 called group users contains  userid which is a foreign key into table users and groupid which is a foregn key into table groups.This will contain info on who is in what group. Table 5 called groupacces contains groupid which is a foreign key into groups,accessareacode which is a forign key into accessareas ,and privilege.
This table holds all of the access areas and priviliges to each secirity area for the groups.


Heres how I implement my security.
The logon screen prompts for userid and password.
when they are entered I do two things.
1. I check directly into the users table to see if he is allowed into the system. if they are,step 2
otherwise prompt again.
2. once the user has been authenticated, I send a session cookie to the browser called userid which stores the clients userid .

Then I created a cold fusion template that checks to see if this cookie exists.
if it doessn't i post a message and a link to the logon screen and then use a cfabort top stop the operation.

I call this template using cfinclude in all of my other templates so that if a person would just type in the url without being logged on, he would not be allowed to proceed.

Now here come the tricky part.
This takes some planning and will determine how you set up your application.
Usually I'll designate an access area to one form with seveal levels of access
(actually, each form has to correspond with an accessarea!!)
at the begining of each template,
after checking if the userid cookie exists,
I take the value of cookie.userid and do a query on the other tables.
ex.
select accessarecode,privilige from groupaccess where groupid in (select groupid from groupusers where userid='#cookie.userid'#)

then I run through the recordset to find the accessarea and privilige for the corresponding template.
if the accessarea is found, he the user can proceed and the privilige is used throughout the template to show or hide different areas.
If the accessare is not there I use a cfabort to pevent the rest of the template from loading and give the user the option to go back.

I hope this helps you out.
Alex

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question