Solved

Secure Login

Posted on 2006-07-14
5
215 Views
Last Modified: 2013-12-24
I am pretty new to Cold Fusion and I want to use the application.cfm to check if the user logged in.  I've been trying to figure it out and I just can't.  Here is the code to my login page.  The user login and password is in a table called tbl_QA_staff.  The fields are strUserID and strPassword.

            <cfform name="loginform" action="QAQ_home.cfm" method="post">
              <table width="80%" cellspacing="2" cellpadding="2" align="center" bgcolor="#C0C0C0">
                <tr>
                  <td colspan="2" align="center" class="small"> Please enter your
                    Employee login and password.<br> <img src="../images/dot_clear.gif" width="1" height="10">
                  </td>
                </tr>
                <tr>
                  <th align="right" class="normal"><b>Login:</b></th>
                 
                    <td><cfinput type="text"
                        required="Yes"
                        size="15"
                        maxlength="17"
                        name="UserName"
                        value=""
                        class="smallblue">
                    </td>
                 
                </tr>
                <tr>
                  <th align="right" class="normal"><b>Password:</b></th>
                  <td><cfinput type="password"
                        required="Yes"
                        size="15"
                        maxlength="8"
                        name="password"
                        value=""
                        class="smallblue">      
                  </td>
                </tr>
                <tr>
                  <td colspan="2"><img src="../images/dot_clear.gif" width="1" height="15"></td>
                </tr>
                <tr>
                  <td colspan="2" align="right"><input type="Image" src="../images/go.gif" name="login_user" value="Log In"></td>
                </tr>
              </table>
            </cfform> </td>


At this point once they hit the button and go to QAQ_home.cfm.  I use a simple query and recordcount to check if the user exists.  Here is the code for that

      <!-- BEGIN VERIFICATION QUERY SECTION -->

      <CFQUERY name="getUser" datasource="QAQ">
      SELECT *
      FROM TBL_QA_Staff
      WHERE strUserID = '#form.username#'
      AND   strPassword = '#form.password#'      
      </CFQUERY>
      <!-- END VERIFICATION QUERY SECTION -->


      <!-- Verify User and set up sessions -->
      <CFIF getUser.RecordCount gt 0>
            <cfset dt = #dateformat(CreateODBCDate(now()),"mm/dd/yyyy")#+1>
            <cfset Session.UserName = getUser.strQA_name>
            <cfset Session.UserID = getUser.QA_ID>
            <cfset Session.UserLogin = getUser.strUserID>
            <cfset Session.UserLoc = getUser.StrQA_loc>
      <CFELSE>
      <!--- BEGIN User does not exist --->
      <cflocation url="#loginpage#">
      </CFIF>

I was told that this is not the most secure way to do things and that I should authenticate the user in the application.cfm.  My question is how do I do that?
0
Comment
Question by:trifecta2k
  • 3
  • 2
5 Comments
 
LVL 13

Accepted Solution

by:
usachrisk1983 earned 500 total points
ID: 17111383
Inside your application.cfm file, do something like this:

<cfif not isDefined('session.UserName') and ListLast(cgi.script_name,'/') neq 'login.cfm'>
   <cflocation url="login.cfm">
   <cfabort>
</cfif>

This will cause login.cfm to load if session.username doesn't exist.  Use login.cfm to authenticate the user (you can use it as both the form page and the action page), and set session.username when you've authenticated them.  Now each page of your site will make sure the user is logged in before allowing them to view the page.
0
 
LVL 5

Author Comment

by:trifecta2k
ID: 17111569
How do I use the login.cfm as teh form and the action page?  I'm sorry I'm just new to this and I don't know how to do that.  
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17111619
No problem :)  Something like this should work for you:

<cfif isDefined('form.username')>

  <!--- The user has submitted the form --->
  <cfquery name="x" datasource="y">
    select something from somewhere
  </cfquery>
  <!--- Verify the user has access to login, and set your session variable>

<cfelse>

  <!--- Show the form here, either exclude the ACTION or set it back to the same page. --->

</cfif>
0
 
LVL 5

Author Comment

by:trifecta2k
ID: 17111720
Seems like everything works.  Before the <CFELSE>  I added a <CFLOCATION> to move the application along and it works just fine.   I have one last question.  This is something new that I just noticed.  How so I get rid of the session variables.  They seem to never delete.
0
 
LVL 5

Author Comment

by:trifecta2k
ID: 17111915
Nevermind, I got it. Thanks for all your help.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question