• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 193
  • Last Modified:

Application.cfm Security

I am trying to create an application file in a seperate folder that checks for a session variable and then if it exists then it lets you view the page. I am able to set the session variable by checking some info against a database and then setting the varable if the info is correct. However when I check for the variable I want it to be redirect you to the "logon" page if the session variable does not exist. When I perform the cfif statement though, it redirects you to the logon page no matter whether the variable exists or not. Does anyone have any ideas why it ignors the cfif statement? The code is below.

<cfif Isdefined('session.loginid')>
<cfelse>
<cflocation url="../member check.cfm">
</cfif>

 
0
deltatuk
Asked:
deltatuk
  • 3
  • 2
  • 2
  • +3
1 Solution
 
HamdyHassanCommented:
try double quotes

<cfif NOT Isdefined("SESSION.LOGINID")>
  <cflocation url="../member check.cfm">
</cfif>

If you are using CFMX , you need to CFLOCK
<CFLOCK timeout="30" scope="session" type="readonly" >
<cfif NOT Isdefined("SESSION.LOGINID")>
  <cflocation url="../member check.cfm">
</cfif>
</CFLOCK>            

0
 
anandkpCommented:
where is the redirection for logon.cfm ???

r u sure it bypasses this ??? may be it goes thru a diff route

pls use the cfoutput tags to know where exactly its getting stuck & then decide on correcting the error there!

K'Rgds
Anand
0
 
TallerMikeCommented:
Are you sure it's ignoring the statement? Try doing the following:

<cfoutput>#IsDefined("Session.loginID")#</cfoutput>

<cfif IsDefined("Session.loginID")>
  <cfoutput>#Session.loginID#</cfoutput>
</cfif>

*********************************************************

<cfif Not Isdefined('session.loginid')>
  <cflocation url="../member check.cfm">
</cfif>
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
TallerMikeCommented:
I think we all had the same ideas all about the same time  =)
0
 
Renante EnteraSenior PHP DeveloperCommented:
I think there's a problem with your application.cfm cause as what you have said, you create it to a separate folder.

Since, you're session variable existency checking is in the application.cfm. You should have to see to it that this file [application.cfm] is within your root directory.

That's why it ignors the code below :

<cfif Isdefined('session.loginid')>
<cfelse>
<cflocation url="../member check.cfm">
</cfif>

session.loginid variable is always not defined/exists coz you're application.cfm file will not be loaded.
0
 
Renante EnteraSenior PHP DeveloperCommented:
I have an example for you below. This is not involving database but our concern is on session variable existency checking.

In your first file type this code:

<CFAPPLICATION NAME="FORUM" SESSIONTIMEOUT="#CreateTimeSpan(0,0,60,0)#" SESSIONMANAGEMENT="Yes" CLIENTMANAGEMENT="Yes" >
Then save as application.cfm.
Regarding the CreateTimeSpan function it sets when to destroy your session.

For your file in login form have this code:

<form name="form1" method="post" action="validate.cfm">
 <p>username :
   <input type="text" name="username">
 </p>
 <p>password :
   <input type="password" name="password">
 </p>
 <p>
   <input type="submit" name="Submit" value="  OK  ">
 </p>
</form>
Then save as login.cfm.

For your action file validate.cfm

<cfif '#form.username#' eq 'administrator' and '#form.password#' eq 'administrator'>
 <cfset session.valid_account='#form.username#'>
 <cflocation url="index.cfm">
<cfelse>
 <cflocation url="login.cfm">
</cfif>

For your main page index.cfm, you should have this code.
This one will check if the session variable already exists.
<cfif not isDefined('session.valid_account')>
 <cflocation url="login.cfm">
<cfelse>
 <!--- Go to main page --->
</cfif>

GOODLUCK!
0
 
substandCommented:
entrance2002 is right.  the application.cfm only applies to files located in the directory in which it exists (and all subdirectories of that dir if there are no other application.cfm files).

You might want to have an application.cfm file in your root, and then on the files you want to protect, use your code, and if the session.loginid is not defined, you can use <cfabort> to stop the loading of the file.  on the files you don't want to protect, don't put that code.

for best practice, you should use a different directory for protected files.  this will cut down on the code you need to write.

another option is to forget using the application.cfm file, and just check on each protected file in the dir.

application.cfm is loaded for each file in the directory, so if you don't want to use it and want all files in the same dir (protected and not) you could do something like the following:

for unprotected files, do nothing.

for protected files, do something like making the first line:

<cfif not isdefined("session.loginid")>
    <cflocation url="login.cfm">
</cfif>

then in login.cfm you can use the <cfapplication> tag as you normally would.  make sure to define session.loginid if thier login info is correct.

the only problem with doing it that way is that sessions will timeout "quicker" than normal.  

actually, the session will timeout at the same time as if you put your <cfapplication> tag in the application.cfm file.

however, since the session is not refreshed with the loading of each file, it will appear to timeout quicker if the user accesses different files from where the <cfapplication> tag is located.




0
 
deltatukAuthor Commented:
I am still being redirected to the logon page no matter how I defined the session variable and even if I can pull the value from it on.  However, I do also get a message that logonid is not defined in session sometimes, after I have logged on and set the variable. Not sure what is causing this. It is really frustrating me. Thanks, for all the help, and any other recommendations are welcomed.

"Default Web Folder"
(Application.cfm)-Sets up the session management
(Logon.cfm-defines session.logonid)    
                   *
     *
     *
"Private Folder -located under web root"
(Application.cfm)-Checks if session.logonid is defined,
(Protected Files-located in private folder)
If session.logonid is not defined it redirects you to logon.cfm
0
 
TallerMikeCommented:
From your Application.cfm within the Prive Folder, you should include your Application.cfm from the root folder like so:

<cfinclude template="../Application.cfm">

Do this at the top of the Application.cfm within the Private Folders. Make sure not to duplicate anything between these 2 Application.cfm files, as they will work as one now.
0
 
substandCommented:
if you have <cfapplication> tags in both files, make sure the "name" attribute is the same in both.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now