Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2180
  • Last Modified:

Cookie Help

Hi

I want to create an administrative area for an Intranet for my Human Resources Department.

I have a table in a database which consists of ACCESS_LEVEL, USERNAME and PASSWORD.

I have a log in page where a HR user enters their Username and Password.  If the enter these correctly they go to loginOK.cfm, and if they don't they go to loginFail.cfm.

Here's the question...

When they first enter their password and username, how can I then set a cookie to store them on their computer, so that when they go to log in again they bypass the login page and go straight to loginOK.cfm? I also need to ensure that if a user puts in the loginOK.cfm straight into the address bar, that they get redirected to loginFail.cfm.

I know this doesn't sound too security concious, but there are reasons for doing it this way.

Also, as an aside - is setting a cookie the best way to do this?  Or is there a better method?

Thanks in advance.
0
nelliott
Asked:
nelliott
  • 4
  • 4
  • 4
  • +3
1 Solution
 
jonnygo55Commented:
on your login page simply set 2 cookies after a successful login and before redirection
<cfcookie name="username" value="#form.username#">
<cfcookie name="password" value="#form.password#" secure="Yes">

then in the beginning of the file check for the existance of those cookies..
<cfif isDefined('cookie.username') and isDefined('cookie.password')>
   <cfset form.username = cookie.username><cfset form.password = cookie.password>
</cfif>

As for the loginOk.cfm file put a check to see if they are coming from login page...
<cfif isDefined('cgi.http_referrer') and getFileFromPath(cgi.http_referrer) eq 'login.cfm'>
...
<cfelse>
<cflocation url="login.cfm">
</cfif>

something like that...
0
 
Renante EnteraSenior PHP DeveloperCommented:
You must have a security checking like this :
  <cfif not IsDefined('cookie.username') and not IsDefined('cookie.password')>
    <cflocation url="login.cfm">
  </cfif>
You have to put this on the top of every pages.

I am assuming that you have a login page maybe something like this :

<form name="form1" method="post" action="action.cfm">
  <input type="text" name="username"><br>
  <input type="password" name="password"><br>
  <input type="submit" name="submit" value="Login">
</form>

Then on your action page :

<cfquery name="GetUser" datasource="dsn">
  SELECT * FROM Table
  WHERE username = '#form.username#'
  AND password = '#form.password#'
</cfquery>

<cfif GetUser.recordcount>
  <cfcookie name="username" value='#GetUser.username#'>
  <cfcookie name="password" value="#GetUser.password#'>
  <cflocation url="loginOk.cfm">
<cfelse>
  <cflocation url="loginFail.cfm">
</cfif>

Remember that the security checking must always be on top of every page so that once a user types in to the address bar the page he wants to browse then he will be redirected to the login page if cookie does not exist...

Goodluck!
eNTRANCE2002 :-)
0
 
cheekycjCommented:
one hint.  Don't put these checks in your loginFail.cfm or login.cfm or action.cfm

CJ
0
[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

 
hartCommented:
i would use just a single cookie to do this

<cfcookie name="logincookie" value="#form.username#~#form.password#" expires="never">

this will set a permanent cookie on the client machine.

then all u have to do is check wether this cookie exsists in the home page.

<cfif isdefined("cookie.logincookie")>
  <cflocation url="home.cfm" addtoken="no">
</cfif>

Regards
Hart
0
 
nelliottAuthor Commented:
Hi

I&#8217;ve tried to combine your above thoughts, and this is what I&#8217;ve come up with&#8230;

I have two pages with the following script:

The Log-In Page&#8230;

<cfif isdefined("cookie.logincookie")>
  <cflocation url="hrHome.cfm" addtoken="no">
</cfif>
<cfif IsDefined("FORM.username")>
<cfquery name="MM_rsUser" datasource="intranet">
  SELECT *
  FROM PASSWORDS
  WHERE USERNAME='#FORM.username#'
  AND PASSWORD='#FORM.password#'
  </cfquery>
  <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <cflocation url="hrHome.cfm
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  
  <cfelse>
  <cfset MM_LoginAction=CGI.SCRIPT_NAME>
  <cfif CGI.QUERY_STRING NEQ "">
    <cfset MM_LoginAction=MM_LoginAction & "?" & XMLFormat(CGI.QUERY_STRING)>
  </cfif>
</cfif>

<form name="login" method="POST" action="<cfoutput>#MM_loginAction#</cfoutput>">
                        <input name="username" type="text" class="forms" id="username">
                        <input name="password" type="password" class="forms" id="password">
                        <input name="submit" type="submit" class="forms" value="Submit Password">
 </form>

The HR Home Page&#8230;

<cfif isdefined("cookie.logincookie")>
<!--- Home Page Text--->
<cfelse>
  <cflocation url="hrLoginFail.cfm">
</cfif>

For some reason this just goes to hrLoginFail.cfm every time.  Any ideas?
0
 
cheekycjCommented:
<cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <cflocation url="hrHome.cfm
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

You cannot set a cookie and then use cflocation.  The cookie will not get set.

Try this:

 <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  Your login was succussful.  Click <a href="hrHome.cfm">here</a> to continue.
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

or use a javascript redirect:

 <cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">
  <script>window.location.href="hrHome.cfm";</script>
  <noscript>If redirect does not work, Click <a href="hrHome.cfm">here</a> to continue.</noscript>
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  

HTH,
CJ
0
 
nelliottAuthor Commented:
The cookie is being set because I can find it within the Cookies folder on my C-drive.

I think it's a problem with this line, as it doesn't seem to be detecting it in either the hrLogin.cfm page (if the cookie exists then it is still making me log in rather than redirecting to the hrHome.cfm) or the hrHome.cfm page (if the cookie exists then it is sending me to hrLoginFail.cfm).

<cfif isdefined("cookie.logincookie")>

Am I setting the cookie correctly?  

cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never" secure="yes">

Thanks again.
0
 
Renante EnteraSenior PHP DeveloperCommented:
Try checking your application.cfm file.  

Be sure that you have this line :

<cfapplication name="YourAppName" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0,0,30,0)#" clientmanagement="yes">

Regards!
eNTRANCE2002 :-)
0
 
cheekycjCommented:
do u still have the cflocation?  The URL that cflocation sends the user to will not see the cookies b/c it is a server side redirect.  You need a client side redirect for that page to see the cookie immediately b/c it has just recently been set in the same request.

Try putting some debug code.  instead of redirecting put a cfabort and output your cookie value.

CJ
0
 
hartCommented:
cj is right u cannot use cflocation with cfcookie

<cfif MM_rsUser.RecordCount NEQ 0>
  <cfcookie name="logincookie" value="#FORM.username#, #FORM.password#" expires="never">
  <!--- instead of this<cflocation url="hrHome.cfm"> --->
<CFHEADER NAME="Refresh" VALUE="0; URL=hrHome.cfm">
  <cfelse>
  <cflocation url="hrLoginFail.cfm ">
  </cfif>  


Regards
Hart
0
 
nelliottAuthor Commented:
Hi

I've tried all of your comments and I still can't seem to get this working. The cookie is being set, but it doesn't seem to be being found/read.

I've increased the points.  Can somebody please, please come up with a foolproof fully tested solution from start to finish for me?

I need script for two pages:

Log In Page:

User enters username and password into a form.  This is checked against database.  If OK, set a cookie (which includes password and username) and then go to 'HR.cfm'.  If incorrect go to 'Fail.cfm'.  If the user has previously logged in successfully, check for the cookie (and ensure the cookie contains the correct username and password) If this is OK then they get redirected straight to 'HR.cfm' without needing to log in.

HR Page:

Check to see if cookie is on computer (and ensure the cookie contains the correct username and password).  If so, load rest of page.  If not, redirect to 'Fail.cfm'.

This sounds easy, but I seem to be making a right pig's ear of it, and this site is supposed to be going live next week.

Many thanks in advance.
0
 
awanferraCommented:
Application.cfm
------------------------------
<cfapplication sessiontimeout="30" sessionmanagement="yes" clientmanagement="yes" setclientcookies="yes" setdomaincookies="yes" name="yourapname">
<cfparam name="session.loggedIn" default="false">

login.cfm
------------------------

<cfif IsDefined("form.login")>
   <cfquery datasource="yourdsn" name="qrGetPass">
          SELECT PASSWORD FROM PASSWORD
          WHERE USERNAME=<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#">
   </cfquery>
   <cfif qrGetPass.Password eq form.password>
         <cfcookie  name = "username"  value = "#form.username#">
         <cfcookie  name = "password"  value = "#form.password#">
         <!---Dont use cflocation, use either cfheader or javascript--->
         <script language="javascript">
             window.open("HR.cfm","_self");
         </script>
   </cfif>
<cfelse>
   <cfparam name="cookie.username" default="">
   <cfparam name="cookie.password" default="">
   <cform method="post" action="#cgi.script_name#">
      username: <cfinput type="text" name="username" required="true" message="Please enter username" value="#cookie.username#"><br>
      password: <cfinput type="text" name="password" required="true" message="Please enter username" value="#cookie.password#"><br>
      <input type="submit" value="login">
   </cfform>
</cfif>

HR.cfm
---------------------------------
<cfif session.loggedIn eq false>
       <cflocation url="Fail.cfm">
</cfif>

i hope it works.. let me know
0
 
awanferraCommented:
Opsss.. I forgot to put one line..
   <cfif qrGetPass.Password eq form.password>
         <cfcookie  name = "username"  value = "#form.username#">
         <cfcookie  name = "password"  value = "#form.password#">
         <!---put this line---->
         <cfset session.loggedIn=true>
         <!---Dont use cflocation, use either cfheader or javascript--->
         <script language="javascript">
             window.open("HR.cfm","_self");
         </script>
   </cfif>
0
 
cheekycjCommented:
if you post your code in its entirety we can fix it for you.

CJ
0
 
hartCommented:
try this out

<!--- =================================== login.cfm =================================== --->
in my login page on the top i will have this code

<CFIF IsDefined("cookie.logincookie")>
      <cfquery name="MM_rsUser" datasource="intranet">
        SELECT *
        FROM PASSWORDS
        WHERE USERNAME='#ListFirst(cookie.logincookie,"~")#'
        AND PASSWORD='#ListLast(cookie.logincookie,"~")#'
        </cfquery>
      
      <CFIF MM_rsUser.RecordCount neq 0>
            <CFLOCATION URL="Hr.cfm" ADDTOKEN="No">
            <CFABORT>
      <CFELSE>
            <CFCOOKIE NAME="logincookie" VALUE="" EXPIRES="NOW"><!--- kill it --->
      </CFIF>      
</CFIF>

<FORM NAME="frm" ACTION="CheckUser.cfm" METHOD="post">
      <input TYPE="Text" NAME="username" VALUE="">
      <input TYPE="password" NAME="pwd" VALUE="">
      ...
</FORM>
...
<!--- =================================== end of login page =================================== --->

<!--- =================================== CheckUser.cfm =================================== --->
<CFIF IsDefined("Form.Username") And IsDefined("Form.Pwd")>
      <cfquery name="MM_rsUser" datasource="intranet">
        SELECT *
        FROM PASSWORDS
        WHERE USERNAME='#Form.Username#'
        AND PASSWORD='#Form.Pwd#'
        </cfquery>
      
      <CFIF MM_rsUser.RecordCount neq 0>
            <cfcookie NAME="logincookie" VALUE="#Form.username#~#Form.pwd#" EXPIRES="NEVER">
            <CFHEADER NAME="Refresh" VALUE="0; URL=Hr.cfm">
      <CFELSE>
            <CFLOCATION URL="Fail.cfm" ADDTOKEN="No">      
      </CFIF>      
<CFELSE>
      <CFLOCATION URL="Login.cfm" ADDTOKEN="No">
</CFIF>
<!--- =================================== end of CheckUser.cfm =================================== --->


<!--- =================================== Hr.cfm =================================== --->
in the top just write this
<CFIF Not IsDefined("cookie.logincookie")>
      <CFLOCATION URL="Login.cfm" ADDTOKEN="No">
</CFIF>
<!--- =================================== end of Hr.cfm =================================== --->


let me know [i have given code for 3 pages just do the same and it will work like a charm]

Regards
Hart
0
 
nelliottAuthor Commented:
You beauty! Worked like a treat.

Many thanks to Hart and all else who contributed.

I've learnt a lot from this.
0
 
hartCommented:
:-)

Regards
Hart
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 4
  • 4
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now