Solved

Cookie Help

Posted on 2003-10-23
17
2,166 Views
Last Modified: 2013-12-24
Hi

I want to create an administrative area for an Intranet for my Human Resources Department.

I have a table in a database which consists of ACCESS_LEVEL, USERNAME and PASSWORD.

I have a log in page where a HR user enters their Username and Password.  If the enter these correctly they go to loginOK.cfm, and if they don't they go to loginFail.cfm.

Here's the question...

When they first enter their password and username, how can I then set a cookie to store them on their computer, so that when they go to log in again they bypass the login page and go straight to loginOK.cfm? I also need to ensure that if a user puts in the loginOK.cfm straight into the address bar, that they get redirected to loginFail.cfm.

I know this doesn't sound too security concious, but there are reasons for doing it this way.

Also, as an aside - is setting a cookie the best way to do this?  Or is there a better method?

Thanks in advance.
0
Comment
Question by:nelliott
  • 4
  • 4
  • 4
  • +3
17 Comments
 
LVL 2

Expert Comment

by:jonnygo55
ID: 9610478
on your login page simply set 2 cookies after a successful login and before redirection
<cfcookie name="username" value="#form.username#">
<cfcookie name="password" value="#form.password#" secure="Yes">

then in the beginning of the file check for the existance of those cookies..
<cfif isDefined('cookie.username') and isDefined('cookie.password')>
   <cfset form.username = cookie.username><cfset form.password = cookie.password>
</cfif>

As for the loginOk.cfm file put a check to see if they are coming from login page...
<cfif isDefined('cgi.http_referrer') and getFileFromPath(cgi.http_referrer) eq 'login.cfm'>
...
<cfelse>
<cflocation url="login.cfm">
</cfif>

something like that...
0
 
LVL 14

Expert Comment

by:Renante Entera
ID: 9611336
You must have a security checking like this :
  <cfif not IsDefined('cookie.username') and not IsDefined('cookie.password')>
    <cflocation url="login.cfm">
  </cfif>
You have to put this on the top of every pages.

I am assuming that you have a login page maybe something like this :

<form name="form1" method="post" action="action.cfm">
  <input type="text" name="username"><br>
  <input type="password" name="password"><br>
  <input type="submit" name="submit" value="Login">
</form>

Then on your action page :

<cfquery name="GetUser" datasource="dsn">
  SELECT * FROM Table
  WHERE username = '#form.username#'
  AND password = '#form.password#'
</cfquery>

<cfif GetUser.recordcount>
  <cfcookie name="username" value='#GetUser.username#'>
  <cfcookie name="password" value="#GetUser.password#'>
  <cflocation url="loginOk.cfm">
<cfelse>
  <cflocation url="loginFail.cfm">
</cfif>

Remember that the security checking must always be on top of every page so that once a user types in to the address bar the page he wants to browse then he will be redirected to the login page if cookie does not exist...

Goodluck!
eNTRANCE2002 :-)
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9611682
one hint.  Don't put these checks in your loginFail.cfm or login.cfm or action.cfm

CJ
0
 
LVL 11

Expert Comment

by:hart
ID: 9612136
i would use just a single cookie to do this

<cfcookie name="logincookie" value="#form.username#~#form.password#" expires="never">

this will set a permanent cookie on the client machine.

then all u have to do is check wether this cookie exsists in the home page.

<cfif isdefined("cookie.logincookie")>
  <cflocation url="home.cfm" addtoken="no">
</cfif>

Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9613225
Hi

I&#8217;ve tried to combine your above thoughts, and this is what I&#8217;ve come up with&#8230;

I have two pages with the following script:

The Log-In Page&#8230;

<cfif isdefined("cookie.logincookie")>
  <cflocation url="hrHome.cfm" addtoken="no">
</cfif>
<cfif IsDefined("FORM.username")>
<cfquery name="MM_rsUser" datasource="intranet">
  SELECT *
  FROM PASSWORDS
  WHERE USERNAME='#FORM.username#'
  AND PASSWORD='#FORM.password#'
  </cfquery>
  <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <cflocation url="hrHome.cfm
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  
  <cfelse>
  <cfset MM_LoginAction=CGI.SCRIPT_NAME>
  <cfif CGI.QUERY_STRING NEQ "">
    <cfset MM_LoginAction=MM_LoginAction & "?" & XMLFormat(CGI.QUERY_STRING)>
  </cfif>
</cfif>

<form name="login" method="POST" action="<cfoutput>#MM_loginAction#</cfoutput>">
                        <input name="username" type="text" class="forms" id="username">
                        <input name="password" type="password" class="forms" id="password">
                        <input name="submit" type="submit" class="forms" value="Submit Password">
 </form>

The HR Home Page&#8230;

<cfif isdefined("cookie.logincookie")>
<!--- Home Page Text--->
<cfelse>
  <cflocation url="hrLoginFail.cfm">
</cfif>

For some reason this just goes to hrLoginFail.cfm every time.  Any ideas?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9613599
<cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <cflocation url="hrHome.cfm
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

You cannot set a cookie and then use cflocation.  The cookie will not get set.

Try this:

 <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  Your login was succussful.  Click <a href="hrHome.cfm">here</a> to continue.
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

or use a javascript redirect:

 <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <script>window.location.href="hrHome.cfm";</script>
  <noscript>If redirect does not work, Click <a href="hrHome.cfm">here</a> to continue.</noscript>
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

HTH,
CJ
0
 

Author Comment

by:nelliott
ID: 9615190
The cookie is being set because I can find it within the Cookies folder on my C-drive.

I think it's a problem with this line, as it doesn't seem to be detecting it in either the hrLogin.cfm page (if the cookie exists then it is still making me log in rather than redirecting to the hrHome.cfm) or the hrHome.cfm page (if the cookie exists then it is sending me to hrLoginFail.cfm).

<cfif isdefined("cookie.logincookie")>

Am I setting the cookie correctly?  

cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">

Thanks again.
0
 
LVL 14

Expert Comment

by:Renante Entera
ID: 9618707
Try checking your application.cfm file.  

Be sure that you have this line :

<cfapplication name="YourAppName" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0,0,30,0)#" clientmanagement="yes">

Regards!
eNTRANCE2002 :-)
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 19

Expert Comment

by:cheekycj
ID: 9619314
do u still have the cflocation?  The URL that cflocation sends the user to will not see the cookies b/c it is a server side redirect.  You need a client side redirect for that page to see the cookie immediately b/c it has just recently been set in the same request.

Try putting some debug code.  instead of redirecting put a cfabort and output your cookie value.

CJ
0
 
LVL 11

Expert Comment

by:hart
ID: 9624984
cj is right u cannot use cflocation with cfcookie

<cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never">
  <!--- instead of this<cflocation url="hrHome.cfm"> --->
<CFHEADER NAME="Refresh" VALUE="0; URL=hrHome.cfm">
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  


Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9627733
Hi

I've tried all of your comments and I still can't seem to get this working. The cookie is being set, but it doesn't seem to be being found/read.

I've increased the points.  Can somebody please, please come up with a foolproof fully tested solution from start to finish for me?

I need script for two pages:

Log In Page:

User enters username and password into a form.  This is checked against database.  If OK, set a cookie (which includes password and username) and then go to 'HR.cfm'.  If incorrect go to 'Fail.cfm'.  If the user has previously logged in successfully, check for the cookie (and ensure the cookie contains the correct username and password) If this is OK then they get redirected straight to 'HR.cfm' without needing to log in.

HR Page:

Check to see if cookie is on computer (and ensure the cookie contains the correct username and password).  If so, load rest of page.  If not, redirect to 'Fail.cfm'.

This sounds easy, but I seem to be making a right pig's ear of it, and this site is supposed to be going live next week.

Many thanks in advance.
0
 

Expert Comment

by:awanferra
ID: 9630543
Application.cfm
------------------------------
<cfapplication sessiontimeout="30" sessionmanagement="yes" clientmanagement="yes" setclientcookies="yes" setdomaincookies="yes" name="yourapname">
<cfparam name="session.loggedIn" default="false">

login.cfm
------------------------

<cfif IsDefined("form.login")>
   <cfquery datasource="yourdsn" name="qrGetPass">
          SELECT PASSWORD FROM PASSWORD
          WHERE USERNAME=<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#">
   </cfquery>
   <cfif qrGetPass.Password eq form.password>
         <cfcookie  name = "username"  value = "#form.username#">
         <cfcookie  name = "password"  value = "#form.password#">
         <!---Dont use cflocation, use either cfheader or javascript--->
         <script language="javascript">
             window.open("HR.cfm","_self");
         </script>
   </cfif>
<cfelse>
   <cfparam name="cookie.username" default="">
   <cfparam name="cookie.password" default="">
   <cform method="post" action="#cgi.script_name#">
      username: <cfinput type="text" name="username" required="true" message="Please enter username" value="#cookie.username#"><br>
      password: <cfinput type="text" name="password" required="true" message="Please enter username" value="#cookie.password#"><br>
      <input type="submit" value="login">
   </cfform>
</cfif>

HR.cfm
---------------------------------
<cfif session.loggedIn eq false>
       <cflocation url="Fail.cfm">
</cfif>

i hope it works.. let me know
0
 

Expert Comment

by:awanferra
ID: 9630553
Opsss.. I forgot to put one line..
   <cfif qrGetPass.Password eq form.password>
         <cfcookie  name = "username"  value = "#form.username#">
         <cfcookie  name = "password"  value = "#form.password#">
         <!---put this line---->
         <cfset session.loggedIn=true>
         <!---Dont use cflocation, use either cfheader or javascript--->
         <script language="javascript">
             window.open("HR.cfm","_self");
         </script>
   </cfif>
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 9630563
if you post your code in its entirety we can fix it for you.

CJ
0
 
LVL 11

Accepted Solution

by:
hart earned 500 total points
ID: 9631742
try this out

<!--- =================================== login.cfm =================================== --->
in my login page on the top i will have this code

<CFIF IsDefined("cookie.logincookie")>
      <cfquery name="MM_rsUser" datasource="intranet">
        SELECT *
        FROM PASSWORDS
        WHERE USERNAME='#ListFirst(cookie.logincookie,"~")#'
        AND PASSWORD='#ListLast(cookie.logincookie,"~")#'
        </cfquery>
      
      <CFIF MM_rsUser.RecordCount neq 0>
            <CFLOCATION URL="Hr.cfm" ADDTOKEN="No">
            <CFABORT>
      <CFELSE>
            <CFCOOKIE NAME="logincookie" VALUE="" EXPIRES="NOW"><!--- kill it --->
      </CFIF>      
</CFIF>

<FORM NAME="frm" ACTION="CheckUser.cfm" METHOD="post">
      <input TYPE="Text" NAME="username" VALUE="">
      <input TYPE="password" NAME="pwd" VALUE="">
      ...
</FORM>
...
<!--- =================================== end of login page =================================== --->

<!--- =================================== CheckUser.cfm =================================== --->
<CFIF IsDefined("Form.Username") And IsDefined("Form.Pwd")>
      <cfquery name="MM_rsUser" datasource="intranet">
        SELECT *
        FROM PASSWORDS
        WHERE USERNAME='#Form.Username#'
        AND PASSWORD='#Form.Pwd#'
        </cfquery>
      
      <CFIF MM_rsUser.RecordCount neq 0>
            <cfcookie NAME="logincookie" VALUE="#Form.username#~#Form.pwd#" EXPIRES="NEVER">
            <CFHEADER NAME="Refresh" VALUE="0; URL=Hr.cfm">
      <CFELSE>
            <CFLOCATION URL="Fail.cfm" ADDTOKEN="No">      
      </CFIF>      
<CFELSE>
      <CFLOCATION URL="Login.cfm" ADDTOKEN="No">
</CFIF>
<!--- =================================== end of CheckUser.cfm =================================== --->


<!--- =================================== Hr.cfm =================================== --->
in the top just write this
<CFIF Not IsDefined("cookie.logincookie")>
      <CFLOCATION URL="Login.cfm" ADDTOKEN="No">
</CFIF>
<!--- =================================== end of Hr.cfm =================================== --->


let me know [i have given code for 3 pages just do the same and it will work like a charm]

Regards
Hart
0
 

Author Comment

by:nelliott
ID: 9633051
You beauty! Worked like a treat.

Many thanks to Hart and all else who contributed.

I've learnt a lot from this.
0
 
LVL 11

Expert Comment

by:hart
ID: 9633103
:-)

Regards
Hart
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now