Colfusion 'Log in User' problem

Posted on 2007-10-18
Last Modified: 2013-12-24
Hi all,

Here is my problem: I am trying to crate a simple login page using Dreamweaver 8's 'Log in User server behaver but something is very wrong. I am running CFMX 6.1 server on my development machine. I am using and MS Access table to retrieve username and password.

I create a simple form, apply the 'log in user' behaver from Server Behaviors tab and then test.

Here is the page:

<cfif IsDefined("FORM.username")>
  <cfset MM_redirectLoginSuccess="/synnex/rewards/update/statement_new.cfm">
  <cfset MM_redirectLoginFailed="/synnex/login.cfm">
  <cfquery  name="MM_rsUser" datasource="rewards07">
    SELECT registrant_name,Email FROM WebTest WHERE registrant_name=
  <cfqueryparam value="#FORM.username#" cfsqltype="cf_sql_clob" maxlength="255">
    AND Email=
  <cfqueryparam value="#FORM.password#" cfsqltype="cf_sql_clob" maxlength="255">
  <cfif MM_rsUser.RecordCount NEQ 0>
      <cflock scope="Session" timeout="30" type="Exclusive">
        <cfset Session.MM_Username=FORM.username>
        <cfset Session.MM_UserAuthorization="">
      <cfif IsDefined("URL.accessdenied") AND false>
        <cfset MM_redirectLoginSuccess=URL.accessdenied>
      <cflocation url="#MM_redirectLoginSuccess#" addtoken="no">
      <cfcatch type="Lock">
        <!--- code for handling timeout of cflock --->
  <cflocation url="#MM_redirectLoginFailed#" addtoken="no">
  <cfset MM_LoginAction=CGI.SCRIPT_NAME>
    <cfset MM_LoginAction=MM_LoginAction & "?" & XMLFormat(CGI.QUERY_STRING)>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>


<form ACTION="<cfoutput>#MM_loginAction#</cfoutput>" method="POST" name="login">
      <label for="username">Name: </label><input name="username" type="text" id="username"></input>
      <label for="password">Email: </label><input name="password" type="text" id="password" ></input>
      <input name="submit" type="submit" id="submit" value="submit"></input>
Question by:jlemesur2112
    LVL 9

    Expert Comment

    OK, I never use behaviors, but I see a couple problems at least... will look more in details but check this first:
    [Your Code]:
    <cfif IsDefined("URL.accessdenied") AND false>
           <cfset MM_redirectLoginSuccess=URL.accessdenied>

    Now I'm not sure what is supposed to be FALSE... but that's definitely a problem... should be something like:
    <cfif IsDefined("URL.accessdenied") AND URL.accessdenied EQ FALSE>
           ... Then set whatever you really wanted to - I don't think it's right...

    Alternately you could write the logic as:
    <cfif IsDefined("URL.accessdenied") AND NOT URL.accessdenied>

    CF evaluates logic sets in a L to R manner... so in your case that statement will NEVER be true... since even if URL.accessdenied is set to FALSE, the second part of the statement is bascially saying if FALSE=TRUE... which it can't.

    I'm gonna play with the behaviors in DW8 and see what else I can see...
    LVL 9

    Accepted Solution

    WOW.. I'm not sure where they got this, but that behavior is crap (at least in my opinion).  I'm going to try it from DW2004 to see if it implements it differently.  If not... I wouldn't recommend using it.

    The second thing that I'm curious about (I thought maybe you didn't post your entire page) is that it looks for values that don't exist:

    Example: URL.accessdenied will never exist - since it is never set anywhere - so even if it's set somewhere else... it's not visible to this page... so that line will ALWAYS be false even without the extra FALSE in it.  Then on top of that the value of MM_redirectLoginSuccess (which is supposed to be a URL) will be set to the value of it even if it were there - which would be ok if it were a URL - however, since it will only be used if the login succeeded (it doesn't set the value of MM_redirectLoginFailed which would seem to be more likely if accessdenied is set to something).

    If you are interested in implementing security within a CF site, I would strongly recommend learning enough CF to just write your own.  You can refer to the docs here:
    (note-you will need to use the forward arrow to view the complete example pages required to implement)
    or here:
    (and look at the pages associated).

    However, I don't even use cflogin and cflogout - it's actually much easier to do and much better (IMHO of course) to just write your own.  It's pretty straightforward.  Essentially you would simply define this in your Application.cfm page...

    <cfif IsDefined("FORM.Username") AND IsDefined("FORM.Password")>
        <cfquery datasource="mydb" name="qLogintest">
        SELECT *
        FROM UsersTable
        WHERE Username=<cfqueryparam value="#FORM.Username#" cfsqltype="cf_sql_varchar">
        AND Password=<cfqueryparam value="#FORM.Password#" cfsqltype="cf_sql_varchar">
        <cfif qLogintest.RecordCount>
            <cflock scope="session" type="exclusive">
                  <cfset SESSION.CurrentUserID=qLogintest.UserID>
            <cflocation url="">
            <!--- BAD LOGIN - SEND THEM TO BAD PAGE --->
                <cflocation url="">
        <cfif NOT IsDefined("SESSION.CurrentUserID") OR NOT IsNumeric(SESSION.CurrentUserID)>
              <!--- NOPE - MAKE THEM LOG IN NOW --->
              <cflocation url="">

    Note that I would not call this (by any means) a robust or flawless means of securing a website, however, it is very simplistic and will work fine in many cases.
    LVL 9

    Expert Comment

    I should add caveats to my solution and add some optimization issues that you or others might want to consider if using my example (it is only meant as a quick and dirty solution):

    1) First of all this example solution requires sessions as the storage mechanism for validating current access - this is pretty standard as usually you'll be storing things in their session that are tied to their account - however, there are settings that some users may have that prevent sessions from working properly.  Also, depending on your server settings it may be possible for sessionID's to be spoofed.  Google "coldfusion security sessions" or similar or check with Adobe for best practices on this subject.

    2) As far as optimization, it would actually be better to flip the logic as I have it written in my code example to prevent unnecessary statements from executing on each page-view (this won't be noticable on a low-traffic site, but could become a problem if you start getting millions of hits.  The following would be a better optimization (pseudo code):

    IF (session value is not defined and numeric) {
          IF (form submitted) {
              ...process form and get values from table...
              IF (login matches database) {
                     ...create session value and redirect them to success page...
                     } ELSE {
                     ...redirect them to the failed page...
                } ELSE {
              ...display login page...

    Note that essentially this is just switching the outer <CFIF> around so that if the user is logged in the rest of the code in the block does not execute.  This prevents this check logic from firing except in cases where the user has timed out or not logged in to begin with, but escapes it the rest of the time they are on the website.

    Glad that helped.. and good luck with CF!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
    Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video discusses moving either the default database or any database to a new volume.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now