Solved

Cookie Help

Posted on 2003-10-23
17
2,168 Views
Last Modified: 2013-12-24
Hi

I want to create an administrative area for an Intranet for my Human Resources Department.

I have a table in a database which consists of ACCESS_LEVEL, USERNAME and PASSWORD.

I have a log in page where a HR user enters their Username and Password.  If the enter these correctly they go to loginOK.cfm, and if they don't they go to loginFail.cfm.

Here's the question...

When they first enter their password and username, how can I then set a cookie to store them on their computer, so that when they go to log in again they bypass the login page and go straight to loginOK.cfm? I also need to ensure that if a user puts in the loginOK.cfm straight into the address bar, that they get redirected to loginFail.cfm.

I know this doesn't sound too security concious, but there are reasons for doing it this way.

Also, as an aside - is setting a cookie the best way to do this?  Or is there a better method?

Thanks in advance.
0
Comment
Question by:nelliott
  • 4
  • 4
  • 4
  • +3
17 Comments
 
LVL 2

Expert Comment

by:jonnygo55
ID: 9610478
on your login page simply set 2 cookies after a successful login and before redirection
<cfcookie name="username" value="#form.username#">
<cfcookie name="password" value="#form.password#" secure="Yes">

then in the beginning of the file check for the existance of those cookies..
<cfif isDefined('cookie.username') and isDefined('cookie.password')>
   <cfset form.username = cookie.username><cfset form.password = cookie.password>
</cfif>

As for the loginOk.cfm file put a check to see if they are coming from login page...
<cfif isDefined('cgi.http_referrer') and getFileFromPath(cgi.http_referrer) eq 'login.cfm'>
...
<cfelse>
<cflocation url="login.cfm">
</cfif>

something like that...
0
 
LVL 14

Expert Comment

by:Renante Entera
ID: 9611336
You must have a security checking like this :
  <cfif not IsDefined('cookie.username') and not IsDefined('cookie.password')>
    <cflocation url="login.cfm">
  </cfif>
You have to put this on the top of every pages.

I am assuming that you have a login page maybe something like this :

<form name="form1" method="post" action="action.cfm">
  <input type="text" name="username"><br>
  <input type="password" name="password"><br>
  <input type="submit" name="submit" value="Login">
</form>

Then on your action page :

<cfquery name="GetUser" datasource="dsn">
  SELECT * FROM Table
  WHERE username = '#form.username#'
  AND password = '#form.password#'
</cfquery>

<cfif GetUser.recordcount>
  <cfcookie name="username" value='#GetUser.username#'>
  <cfcookie name="password" value="#GetUser.password#'>
  <cflocation url="loginOk.cfm">
<cfelse>
  <cflocation url="loginFail.cfm">
</cfif>

Remember that the security checking must always be on top of every page so that once a user types in to the address bar the page he wants to browse then he will be redirected to the login page if cookie does not exist...

Goodluck!
eNTRANCE2002 :-)
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9611682
one hint.  Don't put these checks in your loginFail.cfm or login.cfm or action.cfm

CJ
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Expert Comment

by:hart
ID: 9612136
i would use just a single cookie to do this

<cfcookie name="logincookie" value="#form.username#~#form.password#" expires="never">

this will set a permanent cookie on the client machine.

then all u have to do is check wether this cookie exsists in the home page.

<cfif isdefined("cookie.logincookie")>
  <cflocation url="home.cfm" addtoken="no">
</cfif>

Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9613225
Hi

I&#8217;ve tried to combine your above thoughts, and this is what I&#8217;ve come up with&#8230;

I have two pages with the following script:

The Log-In Page&#8230;

<cfif isdefined("cookie.logincookie")>
  <cflocation url="hrHome.cfm" addtoken="no">
</cfif>
<cfif IsDefined("FORM.username")>
<cfquery name="MM_rsUser" datasource="intranet">
  SELECT *
  FROM PASSWORDS
  WHERE USERNAME='#FORM.username#'
  AND PASSWORD='#FORM.password#'
  </cfquery>
  <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <cflocation url="hrHome.cfm
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  
  <cfelse>
  <cfset MM_LoginAction=CGI.SCRIPT_NAME>
  <cfif CGI.QUERY_STRING NEQ "">
    <cfset MM_LoginAction=MM_LoginAction & "?" & XMLFormat(CGI.QUERY_STRING)>
  </cfif>
</cfif>

<form name="login" method="POST" action="<cfoutput>#MM_loginAction#</cfoutput>">
                        <input name="username" type="text" class="forms" id="username">
                        <input name="password" type="password" class="forms" id="password">
                        <input name="submit" type="submit" class="forms" value="Submit Password">
 </form>

The HR Home Page&#8230;

<cfif isdefined("cookie.logincookie")>
<!--- Home Page Text--->
<cfelse>
  <cflocation url="hrLoginFail.cfm">
</cfif>

For some reason this just goes to hrLoginFail.cfm every time.  Any ideas?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9613599
<cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <cflocation url="hrHome.cfm
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

You cannot set a cookie and then use cflocation.  The cookie will not get set.

Try this:

 <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  Your login was succussful.  Click <a href="hrHome.cfm">here</a> to continue.
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

or use a javascript redirect:

 <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <script>window.location.href="hrHome.cfm";</script>
  <noscript>If redirect does not work, Click <a href="hrHome.cfm">here</a> to continue.</noscript>
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

HTH,
CJ
0
 

Author Comment

by:nelliott
ID: 9615190
The cookie is being set because I can find it within the Cookies folder on my C-drive.

I think it's a problem with this line, as it doesn't seem to be detecting it in either the hrLogin.cfm page (if the cookie exists then it is still making me log in rather than redirecting to the hrHome.cfm) or the hrHome.cfm page (if the cookie exists then it is sending me to hrLoginFail.cfm).

<cfif isdefined("cookie.logincookie")>

Am I setting the cookie correctly?  

cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">

Thanks again.
0
 
LVL 14

Expert Comment

by:Renante Entera
ID: 9618707
Try checking your application.cfm file.  

Be sure that you have this line :

<cfapplication name="YourAppName" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0,0,30,0)#" clientmanagement="yes">

Regards!
eNTRANCE2002 :-)
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9619314
do u still have the cflocation?  The URL that cflocation sends the user to will not see the cookies b/c it is a server side redirect.  You need a client side redirect for that page to see the cookie immediately b/c it has just recently been set in the same request.

Try putting some debug code.  instead of redirecting put a cfabort and output your cookie value.

CJ
0
 
LVL 11

Expert Comment

by:hart
ID: 9624984
cj is right u cannot use cflocation with cfcookie

<cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never">
  <!--- instead of this<cflocation url="hrHome.cfm"> --->
<CFHEADER NAME="Refresh" VALUE="0; URL=hrHome.cfm">
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  


Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9627733
Hi

I've tried all of your comments and I still can't seem to get this working. The cookie is being set, but it doesn't seem to be being found/read.

I've increased the points.  Can somebody please, please come up with a foolproof fully tested solution from start to finish for me?

I need script for two pages:

Log In Page:

User enters username and password into a form.  This is checked against database.  If OK, set a cookie (which includes password and username) and then go to 'HR.cfm'.  If incorrect go to 'Fail.cfm'.  If the user has previously logged in successfully, check for the cookie (and ensure the cookie contains the correct username and password) If this is OK then they get redirected straight to 'HR.cfm' without needing to log in.

HR Page:

Check to see if cookie is on computer (and ensure the cookie contains the correct username and password).  If so, load rest of page.  If not, redirect to 'Fail.cfm'.

This sounds easy, but I seem to be making a right pig's ear of it, and this site is supposed to be going live next week.

Many thanks in advance.
0
 

Expert Comment

by:awanferra
ID: 9630543
Application.cfm
------------------------------
<cfapplication sessiontimeout="30" sessionmanagement="yes" clientmanagement="yes" setclientcookies="yes" setdomaincookies="yes" name="yourapname">
<cfparam name="session.loggedIn" default="false">

login.cfm
------------------------

<cfif IsDefined("form.login")>
   <cfquery datasource="yourdsn" name="qrGetPass">
          SELECT PASSWORD FROM PASSWORD
          WHERE USERNAME=<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#">
   </cfquery>
   <cfif qrGetPass.Password eq form.password>
         <cfcookie  name = "username"  value = "#form.username#">
         <cfcookie  name = "password"  value = "#form.password#">
         <!---Dont use cflocation, use either cfheader or javascript--->
         <script language="javascript">
             window.open("HR.cfm","_self");
         </script>
   </cfif>
<cfelse>
   <cfparam name="cookie.username" default="">
   <cfparam name="cookie.password" default="">
   <cform method="post" action="#cgi.script_name#">
      username: <cfinput type="text" name="username" required="true" message="Please enter username" value="#cookie.username#"><br>
      password: <cfinput type="text" name="password" required="true" message="Please enter username" value="#cookie.password#"><br>
      <input type="submit" value="login">
   </cfform>
</cfif>

HR.cfm
---------------------------------
<cfif session.loggedIn eq false>
       <cflocation url="Fail.cfm">
</cfif>

i hope it works.. let me know
0
 

Expert Comment

by:awanferra
ID: 9630553
Opsss.. I forgot to put one line..
   <cfif qrGetPass.Password eq form.password>
         <cfcookie  name = "username"  value = "#form.username#">
         <cfcookie  name = "password"  value = "#form.password#">
         <!---put this line---->
         <cfset session.loggedIn=true>
         <!---Dont use cflocation, use either cfheader or javascript--->
         <script language="javascript">
             window.open("HR.cfm","_self");
         </script>
   </cfif>
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9630563
if you post your code in its entirety we can fix it for you.

CJ
0
 
LVL 11

Accepted Solution

by:
hart earned 500 total points
ID: 9631742
try this out

<!--- =================================== login.cfm =================================== --->
in my login page on the top i will have this code

<CFIF IsDefined("cookie.logincookie")>
      <cfquery name="MM_rsUser" datasource="intranet">
        SELECT *
        FROM PASSWORDS
        WHERE USERNAME='#ListFirst(cookie.logincookie,"~")#'
        AND PASSWORD='#ListLast(cookie.logincookie,"~")#'
        </cfquery>
      
      <CFIF MM_rsUser.RecordCount neq 0>
            <CFLOCATION URL="Hr.cfm" ADDTOKEN="No">
            <CFABORT>
      <CFELSE>
            <CFCOOKIE NAME="logincookie" VALUE="" EXPIRES="NOW"><!--- kill it --->
      </CFIF>      
</CFIF>

<FORM NAME="frm" ACTION="CheckUser.cfm" METHOD="post">
      <input TYPE="Text" NAME="username" VALUE="">
      <input TYPE="password" NAME="pwd" VALUE="">
      ...
</FORM>
...
<!--- =================================== end of login page =================================== --->

<!--- =================================== CheckUser.cfm =================================== --->
<CFIF IsDefined("Form.Username") And IsDefined("Form.Pwd")>
      <cfquery name="MM_rsUser" datasource="intranet">
        SELECT *
        FROM PASSWORDS
        WHERE USERNAME='#Form.Username#'
        AND PASSWORD='#Form.Pwd#'
        </cfquery>
      
      <CFIF MM_rsUser.RecordCount neq 0>
            <cfcookie NAME="logincookie" VALUE="#Form.username#~#Form.pwd#" EXPIRES="NEVER">
            <CFHEADER NAME="Refresh" VALUE="0; URL=Hr.cfm">
      <CFELSE>
            <CFLOCATION URL="Fail.cfm" ADDTOKEN="No">      
      </CFIF>      
<CFELSE>
      <CFLOCATION URL="Login.cfm" ADDTOKEN="No">
</CFIF>
<!--- =================================== end of CheckUser.cfm =================================== --->


<!--- =================================== Hr.cfm =================================== --->
in the top just write this
<CFIF Not IsDefined("cookie.logincookie")>
      <CFLOCATION URL="Login.cfm" ADDTOKEN="No">
</CFIF>
<!--- =================================== end of Hr.cfm =================================== --->


let me know [i have given code for 3 pages just do the same and it will work like a charm]

Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9633051
You beauty! Worked like a treat.

Many thanks to Hart and all else who contributed.

I've learnt a lot from this.
0
 
LVL 11

Expert Comment

by:hart
ID: 9633103
:-)

Regards
Hart
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now