Solved

Cookie Help

Posted on 2003-10-23
17
2,171 Views
Last Modified: 2013-12-24
Hi

I want to create an administrative area for an Intranet for my Human Resources Department.

I have a table in a database which consists of ACCESS_LEVEL, USERNAME and PASSWORD.

I have a log in page where a HR user enters their Username and Password.  If the enter these correctly they go to loginOK.cfm, and if they don't they go to loginFail.cfm.

Here's the question...

When they first enter their password and username, how can I then set a cookie to store them on their computer, so that when they go to log in again they bypass the login page and go straight to loginOK.cfm? I also need to ensure that if a user puts in the loginOK.cfm straight into the address bar, that they get redirected to loginFail.cfm.

I know this doesn't sound too security concious, but there are reasons for doing it this way.

Also, as an aside - is setting a cookie the best way to do this?  Or is there a better method?

Thanks in advance.
0
Comment
Question by:nelliott
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
  • +3
17 Comments
 
LVL 2

Expert Comment

by:jonnygo55
ID: 9610478
on your login page simply set 2 cookies after a successful login and before redirection
<cfcookie name="username" value="#form.username#">
<cfcookie name="password" value="#form.password#" secure="Yes">

then in the beginning of the file check for the existance of those cookies..
<cfif isDefined('cookie.username') and isDefined('cookie.password')>
   <cfset form.username = cookie.username><cfset form.password = cookie.password>
</cfif>

As for the loginOk.cfm file put a check to see if they are coming from login page...
<cfif isDefined('cgi.http_referrer') and getFileFromPath(cgi.http_referrer) eq 'login.cfm'>
...
<cfelse>
<cflocation url="login.cfm">
</cfif>

something like that...
0
 
LVL 14

Expert Comment

by:Renante Entera
ID: 9611336
You must have a security checking like this :
  <cfif not IsDefined('cookie.username') and not IsDefined('cookie.password')>
    <cflocation url="login.cfm">
  </cfif>
You have to put this on the top of every pages.

I am assuming that you have a login page maybe something like this :

<form name="form1" method="post" action="action.cfm">
  <input type="text" name="username"><br>
  <input type="password" name="password"><br>
  <input type="submit" name="submit" value="Login">
</form>

Then on your action page :

<cfquery name="GetUser" datasource="dsn">
  SELECT * FROM Table
  WHERE username = '#form.username#'
  AND password = '#form.password#'
</cfquery>

<cfif GetUser.recordcount>
  <cfcookie name="username" value='#GetUser.username#'>
  <cfcookie name="password" value="#GetUser.password#'>
  <cflocation url="loginOk.cfm">
<cfelse>
  <cflocation url="loginFail.cfm">
</cfif>

Remember that the security checking must always be on top of every page so that once a user types in to the address bar the page he wants to browse then he will be redirected to the login page if cookie does not exist...

Goodluck!
eNTRANCE2002 :-)
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9611682
one hint.  Don't put these checks in your loginFail.cfm or login.cfm or action.cfm

CJ
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 11

Expert Comment

by:hart
ID: 9612136
i would use just a single cookie to do this

<cfcookie name="logincookie" value="#form.username#~#form.password#" expires="never">

this will set a permanent cookie on the client machine.

then all u have to do is check wether this cookie exsists in the home page.

<cfif isdefined("cookie.logincookie")>
  <cflocation url="home.cfm" addtoken="no">
</cfif>

Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9613225
Hi

I&#8217;ve tried to combine your above thoughts, and this is what I&#8217;ve come up with&#8230;

I have two pages with the following script:

The Log-In Page&#8230;

<cfif isdefined("cookie.logincookie")>
  <cflocation url="hrHome.cfm" addtoken="no">
</cfif>
<cfif IsDefined("FORM.username")>
<cfquery name="MM_rsUser" datasource="intranet">
  SELECT *
  FROM PASSWORDS
  WHERE USERNAME='#FORM.username#'
  AND PASSWORD='#FORM.password#'
  </cfquery>
  <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <cflocation url="hrHome.cfm
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  
  <cfelse>
  <cfset MM_LoginAction=CGI.SCRIPT_NAME>
  <cfif CGI.QUERY_STRING NEQ "">
    <cfset MM_LoginAction=MM_LoginAction & "?" & XMLFormat(CGI.QUERY_STRING)>
  </cfif>
</cfif>

<form name="login" method="POST" action="<cfoutput>#MM_loginAction#</cfoutput>">
                        <input name="username" type="text" class="forms" id="username">
                        <input name="password" type="password" class="forms" id="password">
                        <input name="submit" type="submit" class="forms" value="Submit Password">
 </form>

The HR Home Page&#8230;

<cfif isdefined("cookie.logincookie")>
<!--- Home Page Text--->
<cfelse>
  <cflocation url="hrLoginFail.cfm">
</cfif>

For some reason this just goes to hrLoginFail.cfm every time.  Any ideas?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9613599
<cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <cflocation url="hrHome.cfm
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

You cannot set a cookie and then use cflocation.  The cookie will not get set.

Try this:

 <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  Your login was succussful.  Click <a href="hrHome.cfm">here</a> to continue.
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

or use a javascript redirect:

 <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <script>window.location.href="hrHome.cfm";</script>
  <noscript>If redirect does not work, Click <a href="hrHome.cfm">here</a> to continue.</noscript>
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

HTH,
CJ
0
 

Author Comment

by:nelliott
ID: 9615190
The cookie is being set because I can find it within the Cookies folder on my C-drive.

I think it's a problem with this line, as it doesn't seem to be detecting it in either the hrLogin.cfm page (if the cookie exists then it is still making me log in rather than redirecting to the hrHome.cfm) or the hrHome.cfm page (if the cookie exists then it is sending me to hrLoginFail.cfm).

<cfif isdefined("cookie.logincookie")>

Am I setting the cookie correctly?  

cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">

Thanks again.
0
 
LVL 14

Expert Comment

by:Renante Entera
ID: 9618707
Try checking your application.cfm file.  

Be sure that you have this line :

<cfapplication name="YourAppName" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0,0,30,0)#" clientmanagement="yes">

Regards!
eNTRANCE2002 :-)
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9619314
do u still have the cflocation?  The URL that cflocation sends the user to will not see the cookies b/c it is a server side redirect.  You need a client side redirect for that page to see the cookie immediately b/c it has just recently been set in the same request.

Try putting some debug code.  instead of redirecting put a cfabort and output your cookie value.

CJ
0
 
LVL 11

Expert Comment

by:hart
ID: 9624984
cj is right u cannot use cflocation with cfcookie

<cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never">
  <!--- instead of this<cflocation url="hrHome.cfm"> --->
<CFHEADER NAME="Refresh" VALUE="0; URL=hrHome.cfm">
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  


Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9627733
Hi

I've tried all of your comments and I still can't seem to get this working. The cookie is being set, but it doesn't seem to be being found/read.

I've increased the points.  Can somebody please, please come up with a foolproof fully tested solution from start to finish for me?

I need script for two pages:

Log In Page:

User enters username and password into a form.  This is checked against database.  If OK, set a cookie (which includes password and username) and then go to 'HR.cfm'.  If incorrect go to 'Fail.cfm'.  If the user has previously logged in successfully, check for the cookie (and ensure the cookie contains the correct username and password) If this is OK then they get redirected straight to 'HR.cfm' without needing to log in.

HR Page:

Check to see if cookie is on computer (and ensure the cookie contains the correct username and password).  If so, load rest of page.  If not, redirect to 'Fail.cfm'.

This sounds easy, but I seem to be making a right pig's ear of it, and this site is supposed to be going live next week.

Many thanks in advance.
0
 

Expert Comment

by:awanferra
ID: 9630543
Application.cfm
------------------------------
<cfapplication sessiontimeout="30" sessionmanagement="yes" clientmanagement="yes" setclientcookies="yes" setdomaincookies="yes" name="yourapname">
<cfparam name="session.loggedIn" default="false">

login.cfm
------------------------

<cfif IsDefined("form.login")>
   <cfquery datasource="yourdsn" name="qrGetPass">
          SELECT PASSWORD FROM PASSWORD
          WHERE USERNAME=<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#">
   </cfquery>
   <cfif qrGetPass.Password eq form.password>
         <cfcookie  name = "username"  value = "#form.username#">
         <cfcookie  name = "password"  value = "#form.password#">
         <!---Dont use cflocation, use either cfheader or javascript--->
         <script language="javascript">
             window.open("HR.cfm","_self");
         </script>
   </cfif>
<cfelse>
   <cfparam name="cookie.username" default="">
   <cfparam name="cookie.password" default="">
   <cform method="post" action="#cgi.script_name#">
      username: <cfinput type="text" name="username" required="true" message="Please enter username" value="#cookie.username#"><br>
      password: <cfinput type="text" name="password" required="true" message="Please enter username" value="#cookie.password#"><br>
      <input type="submit" value="login">
   </cfform>
</cfif>

HR.cfm
---------------------------------
<cfif session.loggedIn eq false>
       <cflocation url="Fail.cfm">
</cfif>

i hope it works.. let me know
0
 

Expert Comment

by:awanferra
ID: 9630553
Opsss.. I forgot to put one line..
   <cfif qrGetPass.Password eq form.password>
         <cfcookie  name = "username"  value = "#form.username#">
         <cfcookie  name = "password"  value = "#form.password#">
         <!---put this line---->
         <cfset session.loggedIn=true>
         <!---Dont use cflocation, use either cfheader or javascript--->
         <script language="javascript">
             window.open("HR.cfm","_self");
         </script>
   </cfif>
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9630563
if you post your code in its entirety we can fix it for you.

CJ
0
 
LVL 11

Accepted Solution

by:
hart earned 500 total points
ID: 9631742
try this out

<!--- =================================== login.cfm =================================== --->
in my login page on the top i will have this code

<CFIF IsDefined("cookie.logincookie")>
      <cfquery name="MM_rsUser" datasource="intranet">
        SELECT *
        FROM PASSWORDS
        WHERE USERNAME='#ListFirst(cookie.logincookie,"~")#'
        AND PASSWORD='#ListLast(cookie.logincookie,"~")#'
        </cfquery>
      
      <CFIF MM_rsUser.RecordCount neq 0>
            <CFLOCATION URL="Hr.cfm" ADDTOKEN="No">
            <CFABORT>
      <CFELSE>
            <CFCOOKIE NAME="logincookie" VALUE="" EXPIRES="NOW"><!--- kill it --->
      </CFIF>      
</CFIF>

<FORM NAME="frm" ACTION="CheckUser.cfm" METHOD="post">
      <input TYPE="Text" NAME="username" VALUE="">
      <input TYPE="password" NAME="pwd" VALUE="">
      ...
</FORM>
...
<!--- =================================== end of login page =================================== --->

<!--- =================================== CheckUser.cfm =================================== --->
<CFIF IsDefined("Form.Username") And IsDefined("Form.Pwd")>
      <cfquery name="MM_rsUser" datasource="intranet">
        SELECT *
        FROM PASSWORDS
        WHERE USERNAME='#Form.Username#'
        AND PASSWORD='#Form.Pwd#'
        </cfquery>
      
      <CFIF MM_rsUser.RecordCount neq 0>
            <cfcookie NAME="logincookie" VALUE="#Form.username#~#Form.pwd#" EXPIRES="NEVER">
            <CFHEADER NAME="Refresh" VALUE="0; URL=Hr.cfm">
      <CFELSE>
            <CFLOCATION URL="Fail.cfm" ADDTOKEN="No">      
      </CFIF>      
<CFELSE>
      <CFLOCATION URL="Login.cfm" ADDTOKEN="No">
</CFIF>
<!--- =================================== end of CheckUser.cfm =================================== --->


<!--- =================================== Hr.cfm =================================== --->
in the top just write this
<CFIF Not IsDefined("cookie.logincookie")>
      <CFLOCATION URL="Login.cfm" ADDTOKEN="No">
</CFIF>
<!--- =================================== end of Hr.cfm =================================== --->


let me know [i have given code for 3 pages just do the same and it will work like a charm]

Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9633051
You beauty! Worked like a treat.

Many thanks to Hart and all else who contributed.

I've learnt a lot from this.
0
 
LVL 11

Expert Comment

by:hart
ID: 9633103
:-)

Regards
Hart
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question