Help with creating Application.cfm and how to implement session variables to authenticate users

tristanr used Ask the Experts™
I am creating an online Alumni Tracking System for my college.  There will be three types of users: Alumni, Faculty and Administrators.  Alumni can do restricted/limited queries and can update their own record.  Faculty can create and update all alumni records and use many queries.  Administrators can create and delete faculty users.

User information is stored in two tables, Student and Faculty.  In Student, there is an ID field used for the login username, and a Password field.  The Faculty table includes an ID and Password field as well, but it also includes a boolean flag to signify if the Faculty user has Administrator permissions.

I want to have three levels of access corresponding to the three user types.  How can I authenticate the user and save their user-type for use in deciding what pages (or sections of pages) they will have access to?  I especially need to know what will go in Application.cfm.  Is it better to use sessions or cookies or both?  Also, how do I lock the sessions? (I have heard this is important)

I also need to know what is the best way to test if the user is allowed access to the page.  Should I create an #include page for each access level that redirects them to the login if failed, and displays the page if true?  Then I could just add the right #include page on each content page depending on the access level needed.  Is this a good way to implement that or not?


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

I think you are on the right track.

IMHO, you should session.

What you could do is set a session var called UserLevel.

When a user logs in set their UserLevel.

Create an include file- that does the UserLevel check.  This file will redirect the user out if they don't have the right level.

Now each page will have to specify what UserLevel is allowed to use it.  And then after the UserLevel for that page is set.. then each page will include the UserLevel check file.

Your navigation and all links can be dictated by the UserLevel Session var.  Keep track of the user being logged in via a session var.


<cfquery Name="qrytest" datasource="#dsn#">

<cfif qrytest.recordcount IS 0>
     <cflock timeout="30" throwontimeout="Yes"
          Name="#session.sessionId#" type="EXCLUSIVE">
               <cfset access_level = -1>
     <cflock timeout="30" throwontimeout="Yes"
          Name="#session.sessionId#" type="EXCLUSIVE">
          <cfoutput query="qrytest" maxrows="1">
               <cfset access_level = #access_level_id#>
<cfcatch type="database">

Hi there,

I am not in much favor of using sessions ... so i'd say use cookies.

for login - u check the user type & have #inculde file for that user type - this will take care of the remaining flow automatically.

infact u cld initialise the access levels in cookies & carry on from there on - just read the cookies in the pages desired & perform the particular action based on teh right available.

have a page that checks for cookies & call it as checkcookie.cfm & iclude this file where ever u wanna chk cookies. if the cookie read value fails at ne-point of time - just redirect the  user to login page & let him carry from there on.

but make sure when u write values in cookies - gget them in some encrypted format - for safety & security reasons.

rest a major part depends on how u have ur code for moving abt in the site.
so this is a overview of what cld be done.


Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

cookies vs session is always been a good argument.

there are pros and cons to both.

My top reason for using Session:
You can hide your sensitive data like User ID, User Level, etc. b/c cookies can be intercepted.

btw: to answer your locking question.

locking is an absolute must!




I am leaning towards using sessions.  In reading those articles, it was mentioned that in CF Administrator, there is a setting to auto-lock sessions.  Would any of you recommend this (if it really is a true solution)?  

Performance is not going to be a problem, we will be lucky if one user a day shows up at our website! (Of course in that case, locking wouldn't matter much either, but I want to create a stable system).



Thanks Cheeky and Anand,

I have implemented session variables to record the userid and usertype.  I have also enabled the "Single Threaded Sessions" option in Coldfusion Administrator so that I do not have to manually lock session scope variables. (Please let me know if this assumption is wrong!)

I didn't want to use cookies because of the security problem (even encrypted cookies can be hacked) and some users don't have cookies enabled.

I have created an include file that checks the required security for the page and compares it with the user's type to decide if access should be granted or denied.  Then each content page is dynamically built depending on the usertype.

This ColdFusion stuff is so much fun, I am considering changing my career path.  I am a college student majoring in Computer Information Systems and was interested in Network Administration, but this looks so much more fun!  

By the way, what would the job title be for someone who creates Coldfusion applications (or using PHP, ASP, JSP)?

Thanks for all your help,

The title would be Web Application Developer.

I wouldn't use the auto-lock in Admin Center.. Just manually lock code.  Its much better that way.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial