?
Solved

Application.cfm Security

Posted on 2003-03-26
10
Medium Priority
?
186 Views
Last Modified: 2013-12-24
I am trying to create an application file in a seperate folder that checks for a session variable and then if it exists then it lets you view the page. I am able to set the session variable by checking some info against a database and then setting the varable if the info is correct. However when I check for the variable I want it to be redirect you to the "logon" page if the session variable does not exist. When I perform the cfif statement though, it redirects you to the logon page no matter whether the variable exists or not. Does anyone have any ideas why it ignors the cfif statement? The code is below.

<cfif Isdefined('session.loginid')>
<cfelse>
<cflocation url="../member check.cfm">
</cfif>

 
0
Comment
Question by:deltatuk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 9

Expert Comment

by:HamdyHassan
ID: 8211986
try double quotes

<cfif NOT Isdefined("SESSION.LOGINID")>
  <cflocation url="../member check.cfm">
</cfif>

If you are using CFMX , you need to CFLOCK
<CFLOCK timeout="30" scope="session" type="readonly" >
<cfif NOT Isdefined("SESSION.LOGINID")>
  <cflocation url="../member check.cfm">
</cfif>
</CFLOCK>            

0
 
LVL 17

Expert Comment

by:anandkp
ID: 8211990
where is the redirection for logon.cfm ???

r u sure it bypasses this ??? may be it goes thru a diff route

pls use the cfoutput tags to know where exactly its getting stuck & then decide on correcting the error there!

K'Rgds
Anand
0
 
LVL 8

Expert Comment

by:TallerMike
ID: 8211999
Are you sure it's ignoring the statement? Try doing the following:

<cfoutput>#IsDefined("Session.loginID")#</cfoutput>

<cfif IsDefined("Session.loginID")>
  <cfoutput>#Session.loginID#</cfoutput>
</cfif>

*********************************************************

<cfif Not Isdefined('session.loginid')>
  <cflocation url="../member check.cfm">
</cfif>
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 
LVL 8

Expert Comment

by:TallerMike
ID: 8212885
I think we all had the same ideas all about the same time  =)
0
 
LVL 14

Expert Comment

by:Renante Entera
ID: 8214756
I think there's a problem with your application.cfm cause as what you have said, you create it to a separate folder.

Since, you're session variable existency checking is in the application.cfm. You should have to see to it that this file [application.cfm] is within your root directory.

That's why it ignors the code below :

<cfif Isdefined('session.loginid')>
<cfelse>
<cflocation url="../member check.cfm">
</cfif>

session.loginid variable is always not defined/exists coz you're application.cfm file will not be loaded.
0
 
LVL 14

Expert Comment

by:Renante Entera
ID: 8214776
I have an example for you below. This is not involving database but our concern is on session variable existency checking.

In your first file type this code:

<CFAPPLICATION NAME="FORUM" SESSIONTIMEOUT="#CreateTimeSpan(0,0,60,0)#" SESSIONMANAGEMENT="Yes" CLIENTMANAGEMENT="Yes" >
Then save as application.cfm.
Regarding the CreateTimeSpan function it sets when to destroy your session.

For your file in login form have this code:

<form name="form1" method="post" action="validate.cfm">
 <p>username :
   <input type="text" name="username">
 </p>
 <p>password :
   <input type="password" name="password">
 </p>
 <p>
   <input type="submit" name="Submit" value="  OK  ">
 </p>
</form>
Then save as login.cfm.

For your action file validate.cfm

<cfif '#form.username#' eq 'administrator' and '#form.password#' eq 'administrator'>
 <cfset session.valid_account='#form.username#'>
 <cflocation url="index.cfm">
<cfelse>
 <cflocation url="login.cfm">
</cfif>

For your main page index.cfm, you should have this code.
This one will check if the session variable already exists.
<cfif not isDefined('session.valid_account')>
 <cflocation url="login.cfm">
<cfelse>
 <!--- Go to main page --->
</cfif>

GOODLUCK!
0
 
LVL 10

Accepted Solution

by:
substand earned 150 total points
ID: 8215290
entrance2002 is right.  the application.cfm only applies to files located in the directory in which it exists (and all subdirectories of that dir if there are no other application.cfm files).

You might want to have an application.cfm file in your root, and then on the files you want to protect, use your code, and if the session.loginid is not defined, you can use <cfabort> to stop the loading of the file.  on the files you don't want to protect, don't put that code.

for best practice, you should use a different directory for protected files.  this will cut down on the code you need to write.

another option is to forget using the application.cfm file, and just check on each protected file in the dir.

application.cfm is loaded for each file in the directory, so if you don't want to use it and want all files in the same dir (protected and not) you could do something like the following:

for unprotected files, do nothing.

for protected files, do something like making the first line:

<cfif not isdefined("session.loginid")>
    <cflocation url="login.cfm">
</cfif>

then in login.cfm you can use the <cfapplication> tag as you normally would.  make sure to define session.loginid if thier login info is correct.

the only problem with doing it that way is that sessions will timeout "quicker" than normal.  

actually, the session will timeout at the same time as if you put your <cfapplication> tag in the application.cfm file.

however, since the session is not refreshed with the loading of each file, it will appear to timeout quicker if the user accesses different files from where the <cfapplication> tag is located.




0
 

Author Comment

by:deltatuk
ID: 8219288
I am still being redirected to the logon page no matter how I defined the session variable and even if I can pull the value from it on.  However, I do also get a message that logonid is not defined in session sometimes, after I have logged on and set the variable. Not sure what is causing this. It is really frustrating me. Thanks, for all the help, and any other recommendations are welcomed.

"Default Web Folder"
(Application.cfm)-Sets up the session management
(Logon.cfm-defines session.logonid)    
                   *
     *
     *
"Private Folder -located under web root"
(Application.cfm)-Checks if session.logonid is defined,
(Protected Files-located in private folder)
If session.logonid is not defined it redirects you to logon.cfm
0
 
LVL 8

Expert Comment

by:TallerMike
ID: 8219374
From your Application.cfm within the Prive Folder, you should include your Application.cfm from the root folder like so:

<cfinclude template="../Application.cfm">

Do this at the top of the Application.cfm within the Private Folders. Make sure not to duplicate anything between these 2 Application.cfm files, as they will work as one now.
0
 
LVL 10

Expert Comment

by:substand
ID: 8220310
if you have <cfapplication> tags in both files, make sure the "name" attribute is the same in both.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question