nelliott
asked on
Cookie Help
Hi
I want to create an administrative area for an Intranet for my Human Resources Department.
I have a table in a database which consists of ACCESS_LEVEL, USERNAME and PASSWORD.
I have a log in page where a HR user enters their Username and Password. If the enter these correctly they go to loginOK.cfm, and if they don't they go to loginFail.cfm.
Here's the question...
When they first enter their password and username, how can I then set a cookie to store them on their computer, so that when they go to log in again they bypass the login page and go straight to loginOK.cfm? I also need to ensure that if a user puts in the loginOK.cfm straight into the address bar, that they get redirected to loginFail.cfm.
I know this doesn't sound too security concious, but there are reasons for doing it this way.
Also, as an aside - is setting a cookie the best way to do this? Or is there a better method?
Thanks in advance.
I want to create an administrative area for an Intranet for my Human Resources Department.
I have a table in a database which consists of ACCESS_LEVEL, USERNAME and PASSWORD.
I have a log in page where a HR user enters their Username and Password. If the enter these correctly they go to loginOK.cfm, and if they don't they go to loginFail.cfm.
Here's the question...
When they first enter their password and username, how can I then set a cookie to store them on their computer, so that when they go to log in again they bypass the login page and go straight to loginOK.cfm? I also need to ensure that if a user puts in the loginOK.cfm straight into the address bar, that they get redirected to loginFail.cfm.
I know this doesn't sound too security concious, but there are reasons for doing it this way.
Also, as an aside - is setting a cookie the best way to do this? Or is there a better method?
Thanks in advance.
You must have a security checking like this :
<cfif not IsDefined('cookie.username
<cflocation url="login.cfm">
</cfif>
You have to put this on the top of every pages.
I am assuming that you have a login page maybe something like this :
<form name="form1" method="post" action="action.cfm">
<input type="text" name="username"><br>
<input type="password" name="password"><br>
<input type="submit" name="submit" value="Login">
</form>
Then on your action page :
<cfquery name="GetUser" datasource="dsn">
SELECT * FROM Table
WHERE username = '#form.username#'
AND password = '#form.password#'
</cfquery>
<cfif GetUser.recordcount>
<cfcookie name="username" value='#GetUser.username#'
<cfcookie name="password" value="#GetUser.password#'
<cflocation url="loginOk.cfm">
<cfelse>
<cflocation url="loginFail.cfm">
</cfif>
Remember that the security checking must always be on top of every page so that once a user types in to the address bar the page he wants to browse then he will be redirected to the login page if cookie does not exist...
Goodluck!
eNTRANCE2002 :-)
<cfif not IsDefined('cookie.username
<cflocation url="login.cfm">
</cfif>
You have to put this on the top of every pages.
I am assuming that you have a login page maybe something like this :
<form name="form1" method="post" action="action.cfm">
<input type="text" name="username"><br>
<input type="password" name="password"><br>
<input type="submit" name="submit" value="Login">
</form>
Then on your action page :
<cfquery name="GetUser" datasource="dsn">
SELECT * FROM Table
WHERE username = '#form.username#'
AND password = '#form.password#'
</cfquery>
<cfif GetUser.recordcount>
<cfcookie name="username" value='#GetUser.username#'
<cfcookie name="password" value="#GetUser.password#'
<cflocation url="loginOk.cfm">
<cfelse>
<cflocation url="loginFail.cfm">
</cfif>
Remember that the security checking must always be on top of every page so that once a user types in to the address bar the page he wants to browse then he will be redirected to the login page if cookie does not exist...
Goodluck!
eNTRANCE2002 :-)
one hint. Don't put these checks in your loginFail.cfm or login.cfm or action.cfm
CJ
CJ
i would use just a single cookie to do this
<cfcookie name="logincookie" value="#form.username#~#fo
this will set a permanent cookie on the client machine.
then all u have to do is check wether this cookie exsists in the home page.
<cfif isdefined("cookie.logincoo
<cflocation url="home.cfm" addtoken="no">
</cfif>
Regards
Hart
<cfcookie name="logincookie" value="#form.username#~#fo
this will set a permanent cookie on the client machine.
then all u have to do is check wether this cookie exsists in the home page.
<cfif isdefined("cookie.logincoo
<cflocation url="home.cfm" addtoken="no">
</cfif>
Regards
Hart
ASKER
Hi
I’ve tried to combine your above thoughts, and this is what I’ve come up with…
I have two pages with the following script:
The Log-In Page…
<cfif isdefined("cookie.logincoo
<cflocation url="hrHome.cfm" addtoken="no">
</cfif>
<cfif IsDefined("FORM.username")
<cfquery name="MM_rsUser" datasource="intranet">
SELECT *
FROM PASSWORDS
WHERE USERNAME='#FORM.username#'
AND PASSWORD='#FORM.password#'
</cfquery>
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
<cflocation url="hrHome.cfm
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
<cfelse>
<cfset MM_LoginAction=CGI.SCRIPT_
<cfif CGI.QUERY_STRING NEQ "">
<cfset MM_LoginAction=MM_LoginAct
</cfif>
</cfif>
<form name="login" method="POST" action="<cfoutput>#MM_logi
<input name="username" type="text" class="forms" id="username">
<input name="password" type="password" class="forms" id="password">
<input name="submit" type="submit" class="forms" value="Submit Password">
</form>
The HR Home Page…
<cfif isdefined("cookie.logincoo
<!--- Home Page Text--->
<cfelse>
<cflocation url="hrLoginFail.cfm">
</cfif>
For some reason this just goes to hrLoginFail.cfm every time. Any ideas?
I’ve tried to combine your above thoughts, and this is what I’ve come up with…
I have two pages with the following script:
The Log-In Page…
<cfif isdefined("cookie.logincoo
<cflocation url="hrHome.cfm" addtoken="no">
</cfif>
<cfif IsDefined("FORM.username")
<cfquery name="MM_rsUser" datasource="intranet">
SELECT *
FROM PASSWORDS
WHERE USERNAME='#FORM.username#'
AND PASSWORD='#FORM.password#'
</cfquery>
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
<cflocation url="hrHome.cfm
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
<cfelse>
<cfset MM_LoginAction=CGI.SCRIPT_
<cfif CGI.QUERY_STRING NEQ "">
<cfset MM_LoginAction=MM_LoginAct
</cfif>
</cfif>
<form name="login" method="POST" action="<cfoutput>#MM_logi
<input name="username" type="text" class="forms" id="username">
<input name="password" type="password" class="forms" id="password">
<input name="submit" type="submit" class="forms" value="Submit Password">
</form>
The HR Home Page…
<cfif isdefined("cookie.logincoo
<!--- Home Page Text--->
<cfelse>
<cflocation url="hrLoginFail.cfm">
</cfif>
For some reason this just goes to hrLoginFail.cfm every time. Any ideas?
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
<cflocation url="hrHome.cfm
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
You cannot set a cookie and then use cflocation. The cookie will not get set.
Try this:
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
Your login was succussful. Click <a href="hrHome.cfm">here</a>
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
or use a javascript redirect:
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
<script>window.location.hr
<noscript>If redirect does not work, Click <a href="hrHome.cfm">here</a>
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
HTH,
CJ
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
<cflocation url="hrHome.cfm
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
You cannot set a cookie and then use cflocation. The cookie will not get set.
Try this:
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
Your login was succussful. Click <a href="hrHome.cfm">here</a>
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
or use a javascript redirect:
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
<script>window.location.hr
<noscript>If redirect does not work, Click <a href="hrHome.cfm">here</a>
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
HTH,
CJ
ASKER
The cookie is being set because I can find it within the Cookies folder on my C-drive.
I think it's a problem with this line, as it doesn't seem to be detecting it in either the hrLogin.cfm page (if the cookie exists then it is still making me log in rather than redirecting to the hrHome.cfm) or the hrHome.cfm page (if the cookie exists then it is sending me to hrLoginFail.cfm).
<cfif isdefined("cookie.logincoo
Am I setting the cookie correctly?
cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
Thanks again.
I think it's a problem with this line, as it doesn't seem to be detecting it in either the hrLogin.cfm page (if the cookie exists then it is still making me log in rather than redirecting to the hrHome.cfm) or the hrHome.cfm page (if the cookie exists then it is sending me to hrLoginFail.cfm).
<cfif isdefined("cookie.logincoo
Am I setting the cookie correctly?
cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
Thanks again.
Try checking your application.cfm file.
Be sure that you have this line :
<cfapplication name="YourAppName" sessionmanagement="yes" sessiontimeout="#CreateTim
Regards!
eNTRANCE2002 :-)
Be sure that you have this line :
<cfapplication name="YourAppName" sessionmanagement="yes" sessiontimeout="#CreateTim
Regards!
eNTRANCE2002 :-)
do u still have the cflocation? The URL that cflocation sends the user to will not see the cookies b/c it is a server side redirect. You need a client side redirect for that page to see the cookie immediately b/c it has just recently been set in the same request.
Try putting some debug code. instead of redirecting put a cfabort and output your cookie value.
CJ
Try putting some debug code. instead of redirecting put a cfabort and output your cookie value.
CJ
cj is right u cannot use cflocation with cfcookie
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never">
<!--- instead of this<cflocation url="hrHome.cfm"> --->
<CFHEADER NAME="Refresh" VALUE="0; URL=hrHome.cfm">
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
Regards
Hart
<cfif MM_rsUser.RecordCount NEQ 0>
<cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never">
<!--- instead of this<cflocation url="hrHome.cfm"> --->
<CFHEADER NAME="Refresh" VALUE="0; URL=hrHome.cfm">
<cfelse>
<cflocation url="hrLoginFail.cfm ">
</cfif>
Regards
Hart
ASKER
Hi
I've tried all of your comments and I still can't seem to get this working. The cookie is being set, but it doesn't seem to be being found/read.
I've increased the points. Can somebody please, please come up with a foolproof fully tested solution from start to finish for me?
I need script for two pages:
Log In Page:
User enters username and password into a form. This is checked against database. If OK, set a cookie (which includes password and username) and then go to 'HR.cfm'. If incorrect go to 'Fail.cfm'. If the user has previously logged in successfully, check for the cookie (and ensure the cookie contains the correct username and password) If this is OK then they get redirected straight to 'HR.cfm' without needing to log in.
HR Page:
Check to see if cookie is on computer (and ensure the cookie contains the correct username and password). If so, load rest of page. If not, redirect to 'Fail.cfm'.
This sounds easy, but I seem to be making a right pig's ear of it, and this site is supposed to be going live next week.
Many thanks in advance.
I've tried all of your comments and I still can't seem to get this working. The cookie is being set, but it doesn't seem to be being found/read.
I've increased the points. Can somebody please, please come up with a foolproof fully tested solution from start to finish for me?
I need script for two pages:
Log In Page:
User enters username and password into a form. This is checked against database. If OK, set a cookie (which includes password and username) and then go to 'HR.cfm'. If incorrect go to 'Fail.cfm'. If the user has previously logged in successfully, check for the cookie (and ensure the cookie contains the correct username and password) If this is OK then they get redirected straight to 'HR.cfm' without needing to log in.
HR Page:
Check to see if cookie is on computer (and ensure the cookie contains the correct username and password). If so, load rest of page. If not, redirect to 'Fail.cfm'.
This sounds easy, but I seem to be making a right pig's ear of it, and this site is supposed to be going live next week.
Many thanks in advance.
Application.cfm
--------------------------
<cfapplication sessiontimeout="30" sessionmanagement="yes" clientmanagement="yes" setclientcookies="yes" setdomaincookies="yes" name="yourapname">
<cfparam name="session.loggedIn" default="false">
login.cfm
------------------------
<cfif IsDefined("form.login")>
<cfquery datasource="yourdsn" name="qrGetPass">
SELECT PASSWORD FROM PASSWORD
WHERE USERNAME=<cfqueryparam cfsqltype="cf_sql_varchar"
</cfquery>
<cfif qrGetPass.Password eq form.password>
<cfcookie name = "username" value = "#form.username#">
<cfcookie name = "password" value = "#form.password#">
<!---Dont use cflocation, use either cfheader or javascript--->
<script language="javascript">
window.open("HR.cfm","_sel
</script>
</cfif>
<cfelse>
<cfparam name="cookie.username" default="">
<cfparam name="cookie.password" default="">
<cform method="post" action="#cgi.script_name#"
username: <cfinput type="text" name="username" required="true" message="Please enter username" value="#cookie.username#">
password: <cfinput type="text" name="password" required="true" message="Please enter username" value="#cookie.password#">
<input type="submit" value="login">
</cfform>
</cfif>
HR.cfm
--------------------------
<cfif session.loggedIn eq false>
<cflocation url="Fail.cfm">
</cfif>
i hope it works.. let me know
--------------------------
<cfapplication sessiontimeout="30" sessionmanagement="yes" clientmanagement="yes" setclientcookies="yes" setdomaincookies="yes" name="yourapname">
<cfparam name="session.loggedIn" default="false">
login.cfm
------------------------
<cfif IsDefined("form.login")>
<cfquery datasource="yourdsn" name="qrGetPass">
SELECT PASSWORD FROM PASSWORD
WHERE USERNAME=<cfqueryparam cfsqltype="cf_sql_varchar"
</cfquery>
<cfif qrGetPass.Password eq form.password>
<cfcookie name = "username" value = "#form.username#">
<cfcookie name = "password" value = "#form.password#">
<!---Dont use cflocation, use either cfheader or javascript--->
<script language="javascript">
window.open("HR.cfm","_sel
</script>
</cfif>
<cfelse>
<cfparam name="cookie.username" default="">
<cfparam name="cookie.password" default="">
<cform method="post" action="#cgi.script_name#"
username: <cfinput type="text" name="username" required="true" message="Please enter username" value="#cookie.username#">
password: <cfinput type="text" name="password" required="true" message="Please enter username" value="#cookie.password#">
<input type="submit" value="login">
</cfform>
</cfif>
HR.cfm
--------------------------
<cfif session.loggedIn eq false>
<cflocation url="Fail.cfm">
</cfif>
i hope it works.. let me know
Opsss.. I forgot to put one line..
<cfif qrGetPass.Password eq form.password>
<cfcookie name = "username" value = "#form.username#">
<cfcookie name = "password" value = "#form.password#">
<!---put this line---->
<cfset session.loggedIn=true>
<!---Dont use cflocation, use either cfheader or javascript--->
<script language="javascript">
window.open("HR.cfm","_sel
</script>
</cfif>
<cfif qrGetPass.Password eq form.password>
<cfcookie name = "username" value = "#form.username#">
<cfcookie name = "password" value = "#form.password#">
<!---put this line---->
<cfset session.loggedIn=true>
<!---Dont use cflocation, use either cfheader or javascript--->
<script language="javascript">
window.open("HR.cfm","_sel
</script>
</cfif>
if you post your code in its entirety we can fix it for you.
CJ
CJ
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You beauty! Worked like a treat.
Many thanks to Hart and all else who contributed.
I've learnt a lot from this.
Many thanks to Hart and all else who contributed.
I've learnt a lot from this.
:-)
Regards
Hart
Regards
Hart
<cfcookie name="username" value="#form.username#">
<cfcookie name="password" value="#form.password#" secure="Yes">
then in the beginning of the file check for the existance of those cookies..
<cfif isDefined('cookie.username
<cfset form.username = cookie.username><cfset form.password = cookie.password>
</cfif>
As for the loginOk.cfm file put a check to see if they are coming from login page...
<cfif isDefined('cgi.http_referr
...
<cfelse>
<cflocation url="login.cfm">
</cfif>
something like that...