Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

security

Posted on 2000-03-22
4
139 Views
Last Modified: 2013-12-24
What is the best way to make a simple login form that verifies username, password and access level against an existing database? There are 5 levels of users. Each level of user gets sent to a different CF page within the site.
0
Comment
Question by:cfcode
4 Comments
 
LVL 5

Expert Comment

by:nathans
ID: 2646264

What are you wanting the CODE to do this or the way to do this???


0
 

Author Comment

by:cfcode
ID: 2646336
I am looking for the code to do this and/or some already existing custom tags that address this.
0
 
LVL 37

Expert Comment

by:meverest
ID: 2647549
make a table called users with:

username, password, securitylevel, startpage, (etc)

make auth.cfm like:

=======================================

<cfquery name=auth .. .. ..>
  select * from users where username='#form.username#' and password='#form.password#'
</cfquery>

<cfif auth.recordcount>
<cfset session.securitylevel=auth.securitylevel>

<cfset session.username=auth.username>

location.href="#auth.startpage#"

<cfelse>

Bad Password or unknown user

</cfif>

<cfif not isdefined('session.securitylevel')>

Please log in:<br>

<form action="auth.cfm" method="post">
Username: <input name=username><br>
Password: <input type=password name=password>
<input type=submit value="LOG IN">
</form>

</cfif>

=======================================

cheers.


0
 
LVL 6

Accepted Solution

by:
acampoma earned 50 total points
ID: 2649979
Here's what I did in my application.
I did not use any custom tags.

The best thing to do is draw this on paper as I describe it.

In my database, I set up 5 tables for this purpose. Table 1 called users  which contains userid, userdesc,password. Table 2 called groups contains groupid,groupdesc. Table 3 called accessareas contains accessareacode,accessareadesc.Table 4 called group users contains  userid which is a foreign key into table users and groupid which is a foregn key into table groups.This will contain info on who is in what group. Table 5 called groupacces contains groupid which is a foreign key into groups,accessareacode which is a forign key into accessareas ,and privilege.
This table holds all of the access areas and priviliges to each secirity area for the groups.


Heres how I implement my security.
The logon screen prompts for userid and password.
when they are entered I do two things.
1. I check directly into the users table to see if he is allowed into the system. if they are,step 2
otherwise prompt again.
2. once the user has been authenticated, I send a session cookie to the browser called userid which stores the clients userid .

Then I created a cold fusion template that checks to see if this cookie exists.
if it doessn't i post a message and a link to the logon screen and then use a cfabort top stop the operation.

I call this template using cfinclude in all of my other templates so that if a person would just type in the url without being logged on, he would not be allowed to proceed.

Now here come the tricky part.
This takes some planning and will determine how you set up your application.
Usually I'll designate an access area to one form with seveal levels of access
(actually, each form has to correspond with an accessarea!!)
at the begining of each template,
after checking if the userid cookie exists,
I take the value of cookie.userid and do a query on the other tables.
ex.
select accessarecode,privilige from groupaccess where groupid in (select groupid from groupusers where userid='#cookie.userid'#)

then I run through the recordset to find the accessarea and privilige for the corresponding template.
if the accessarea is found, he the user can proceed and the privilige is used throughout the template to show or hide different areas.
If the accessare is not there I use a cfabort to pevent the rest of the template from loading and give the user the option to go back.

I hope this helps you out.
Alex

0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Redirect website ! 4 54
retrieving files from old server once DNS has changed 10 72
Question to locate the problem 18 127
Company website 6 29
In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question