security

What is the best way to make a simple login form that verifies username, password and access level against an existing database? There are 5 levels of users. Each level of user gets sent to a different CF page within the site.
cfcodeAsked:
Who is Participating?
 
acampomaConnect With a Mentor Commented:
Here's what I did in my application.
I did not use any custom tags.

The best thing to do is draw this on paper as I describe it.

In my database, I set up 5 tables for this purpose. Table 1 called users  which contains userid, userdesc,password. Table 2 called groups contains groupid,groupdesc. Table 3 called accessareas contains accessareacode,accessareadesc.Table 4 called group users contains  userid which is a foreign key into table users and groupid which is a foregn key into table groups.This will contain info on who is in what group. Table 5 called groupacces contains groupid which is a foreign key into groups,accessareacode which is a forign key into accessareas ,and privilege.
This table holds all of the access areas and priviliges to each secirity area for the groups.


Heres how I implement my security.
The logon screen prompts for userid and password.
when they are entered I do two things.
1. I check directly into the users table to see if he is allowed into the system. if they are,step 2
otherwise prompt again.
2. once the user has been authenticated, I send a session cookie to the browser called userid which stores the clients userid .

Then I created a cold fusion template that checks to see if this cookie exists.
if it doessn't i post a message and a link to the logon screen and then use a cfabort top stop the operation.

I call this template using cfinclude in all of my other templates so that if a person would just type in the url without being logged on, he would not be allowed to proceed.

Now here come the tricky part.
This takes some planning and will determine how you set up your application.
Usually I'll designate an access area to one form with seveal levels of access
(actually, each form has to correspond with an accessarea!!)
at the begining of each template,
after checking if the userid cookie exists,
I take the value of cookie.userid and do a query on the other tables.
ex.
select accessarecode,privilige from groupaccess where groupid in (select groupid from groupusers where userid='#cookie.userid'#)

then I run through the recordset to find the accessarea and privilige for the corresponding template.
if the accessarea is found, he the user can proceed and the privilige is used throughout the template to show or hide different areas.
If the accessare is not there I use a cfabort to pevent the rest of the template from loading and give the user the option to go back.

I hope this helps you out.
Alex

0
 
Nathan Stanford SrSenior ProgrammerCommented:

What are you wanting the CODE to do this or the way to do this???


0
 
cfcodeAuthor Commented:
I am looking for the code to do this and/or some already existing custom tags that address this.
0
 
meverestCommented:
make a table called users with:

username, password, securitylevel, startpage, (etc)

make auth.cfm like:

=======================================

<cfquery name=auth .. .. ..>
  select * from users where username='#form.username#' and password='#form.password#'
</cfquery>

<cfif auth.recordcount>
<cfset session.securitylevel=auth.securitylevel>

<cfset session.username=auth.username>

location.href="#auth.startpage#"

<cfelse>

Bad Password or unknown user

</cfif>

<cfif not isdefined('session.securitylevel')>

Please log in:<br>

<form action="auth.cfm" method="post">
Username: <input name=username><br>
Password: <input type=password name=password>
<input type=submit value="LOG IN">
</form>

</cfif>

=======================================

cheers.


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.