Colfusion 'Log in User' problem

Posted on 2007-10-18
Medium Priority
Last Modified: 2013-12-24
Hi all,

Here is my problem: I am trying to crate a simple login page using Dreamweaver 8's 'Log in User server behaver but something is very wrong. I am running CFMX 6.1 server on my development machine. I am using and MS Access table to retrieve username and password.

I create a simple form, apply the 'log in user' behaver from Server Behaviors tab and then test.

Here is the page:

<cfif IsDefined("FORM.username")>
  <cfset MM_redirectLoginSuccess="/synnex/rewards/update/statement_new.cfm">
  <cfset MM_redirectLoginFailed="/synnex/login.cfm">
  <cfquery  name="MM_rsUser" datasource="rewards07">
    SELECT registrant_name,Email FROM WebTest WHERE registrant_name=
  <cfqueryparam value="#FORM.username#" cfsqltype="cf_sql_clob" maxlength="255">
    AND Email=
  <cfqueryparam value="#FORM.password#" cfsqltype="cf_sql_clob" maxlength="255">
  <cfif MM_rsUser.RecordCount NEQ 0>
      <cflock scope="Session" timeout="30" type="Exclusive">
        <cfset Session.MM_Username=FORM.username>
        <cfset Session.MM_UserAuthorization="">
      <cfif IsDefined("URL.accessdenied") AND false>
        <cfset MM_redirectLoginSuccess=URL.accessdenied>
      <cflocation url="#MM_redirectLoginSuccess#" addtoken="no">
      <cfcatch type="Lock">
        <!--- code for handling timeout of cflock --->
  <cflocation url="#MM_redirectLoginFailed#" addtoken="no">
  <cfset MM_LoginAction=CGI.SCRIPT_NAME>
    <cfset MM_LoginAction=MM_LoginAction & "?" & XMLFormat(CGI.QUERY_STRING)>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>


<form ACTION="<cfoutput>#MM_loginAction#</cfoutput>" method="POST" name="login">
      <label for="username">Name: </label><input name="username" type="text" id="username"></input>
      <label for="password">Email: </label><input name="password" type="text" id="password" ></input>
      <input name="submit" type="submit" id="submit" value="submit"></input>
Question by:jlemesur2112
  • 3

Expert Comment

ID: 20107096
OK, I never use behaviors, but I see a couple problems at least... will look more in details but check this first:
[Your Code]:
<cfif IsDefined("URL.accessdenied") AND false>
       <cfset MM_redirectLoginSuccess=URL.accessdenied>

Now I'm not sure what is supposed to be FALSE... but that's definitely a problem... should be something like:
<cfif IsDefined("URL.accessdenied") AND URL.accessdenied EQ FALSE>
       ... Then set whatever you really wanted to - I don't think it's right...

Alternately you could write the logic as:
<cfif IsDefined("URL.accessdenied") AND NOT URL.accessdenied>

CF evaluates logic sets in a L to R manner... so in your case that statement will NEVER be true... since even if URL.accessdenied is set to FALSE, the second part of the statement is bascially saying if FALSE=TRUE... which it can't.

I'm gonna play with the behaviors in DW8 and see what else I can see...

Accepted Solution

digicidal earned 2000 total points
ID: 20107322
WOW.. I'm not sure where they got this, but that behavior is crap (at least in my opinion).  I'm going to try it from DW2004 to see if it implements it differently.  If not... I wouldn't recommend using it.

The second thing that I'm curious about (I thought maybe you didn't post your entire page) is that it looks for values that don't exist:

Example: URL.accessdenied will never exist - since it is never set anywhere - so even if it's set somewhere else... it's not visible to this page... so that line will ALWAYS be false even without the extra FALSE in it.  Then on top of that the value of MM_redirectLoginSuccess (which is supposed to be a URL) will be set to the value of it even if it were there - which would be ok if it were a URL - however, since it will only be used if the login succeeded (it doesn't set the value of MM_redirectLoginFailed which would seem to be more likely if accessdenied is set to something).

If you are interested in implementing security within a CF site, I would strongly recommend learning enough CF to just write your own.  You can refer to the docs here:
(note-you will need to use the forward arrow to view the complete example pages required to implement)
or here:
(and look at the pages associated).

However, I don't even use cflogin and cflogout - it's actually much easier to do and much better (IMHO of course) to just write your own.  It's pretty straightforward.  Essentially you would simply define this in your Application.cfm page...

<cfif IsDefined("FORM.Username") AND IsDefined("FORM.Password")>
    <cfquery datasource="mydb" name="qLogintest">
    SELECT *
    FROM UsersTable
    WHERE Username=<cfqueryparam value="#FORM.Username#" cfsqltype="cf_sql_varchar">
    AND Password=<cfqueryparam value="#FORM.Password#" cfsqltype="cf_sql_varchar">
    <cfif qLogintest.RecordCount>
        <cflock scope="session" type="exclusive">
              <cfset SESSION.CurrentUserID=qLogintest.UserID>
        <cflocation url="http://www.mysite.com/loginsucceeded.cfm">
        <!--- BAD LOGIN - SEND THEM TO BAD PAGE --->
            <cflocation url="http://www.mysite.com/loginfailed.cfm">
    <cfif NOT IsDefined("SESSION.CurrentUserID") OR NOT IsNumeric(SESSION.CurrentUserID)>
          <!--- NOPE - MAKE THEM LOG IN NOW --->
          <cflocation url="http://www.mysite.com/loginpage.cfm">

Note that I would not call this (by any means) a robust or flawless means of securing a website, however, it is very simplistic and will work fine in many cases.

Expert Comment

ID: 20132892
I should add caveats to my solution and add some optimization issues that you or others might want to consider if using my example (it is only meant as a quick and dirty solution):

1) First of all this example solution requires sessions as the storage mechanism for validating current access - this is pretty standard as usually you'll be storing things in their session that are tied to their account - however, there are settings that some users may have that prevent sessions from working properly.  Also, depending on your server settings it may be possible for sessionID's to be spoofed.  Google "coldfusion security sessions" or similar or check with Adobe for best practices on this subject.

2) As far as optimization, it would actually be better to flip the logic as I have it written in my code example to prevent unnecessary statements from executing on each page-view (this won't be noticable on a low-traffic site, but could become a problem if you start getting millions of hits.  The following would be a better optimization (pseudo code):

IF (session value is not defined and numeric) {
      IF (form submitted) {
          ...process form and get values from table...
          IF (login matches database) {
                 ...create session value and redirect them to success page...
                 } ELSE {
                 ...redirect them to the failed page...
            } ELSE {
          ...display login page...

Note that essentially this is just switching the outer <CFIF> around so that if the user is logged in the rest of the code in the block does not execute.  This prevents this check logic from firing except in cases where the user has timed out or not logged in to begin with, but escapes it the rest of the time they are on the website.

Glad that helped.. and good luck with CF!

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question