jlemesur2112
asked on
Colfusion 'Log in User' problem
Hi all,
Here is my problem: I am trying to crate a simple login page using Dreamweaver 8's 'Log in User server behaver but something is very wrong. I am running CFMX 6.1 server on my development machine. I am using and MS Access table to retrieve username and password.
I create a simple form, apply the 'log in user' behaver from Server Behaviors tab and then test.
Here is the page:
<cfif IsDefined("FORM.username")
<cfset MM_redirectLoginSuccess="/
<cfset MM_redirectLoginFailed="/s
<cfquery name="MM_rsUser" datasource="rewards07">
SELECT registrant_name,Email FROM WebTest WHERE registrant_name=
<cfqueryparam value="#FORM.username#" cfsqltype="cf_sql_clob" maxlength="255">
AND Email=
<cfqueryparam value="#FORM.password#" cfsqltype="cf_sql_clob" maxlength="255">
</cfquery>
<cfif MM_rsUser.RecordCount NEQ 0>
<cftry>
<cflock scope="Session" timeout="30" type="Exclusive">
<cfset Session.MM_Username=FORM.u
<cfset Session.MM_UserAuthorizati
</cflock>
<cfif IsDefined("URL.accessdenie
<cfset MM_redirectLoginSuccess=UR
</cfif>
<cflocation url="#MM_redirectLoginSucc
<cfcatch type="Lock">
<!--- code for handling timeout of cflock --->
</cfcatch>
</cftry>
</cfif>
<cflocation url="#MM_redirectLoginFail
<cfelse>
<cfset MM_LoginAction=CGI.SCRIPT_
<cfif CGI.QUERY_STRING NEQ "">
<cfset MM_LoginAction=MM_LoginAct
</cfif>
</cfif>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<form ACTION="<cfoutput>#MM_logi
<label for="username">Name: </label><input name="username" type="text" id="username"></input>
<label for="password">Email: </label><input name="password" type="text" id="password" ></input>
<input name="submit" type="submit" id="submit" value="submit"></input>
</form>
</body>
</html>
Here is my problem: I am trying to crate a simple login page using Dreamweaver 8's 'Log in User server behaver but something is very wrong. I am running CFMX 6.1 server on my development machine. I am using and MS Access table to retrieve username and password.
I create a simple form, apply the 'log in user' behaver from Server Behaviors tab and then test.
Here is the page:
<cfif IsDefined("FORM.username")
<cfset MM_redirectLoginSuccess="/
<cfset MM_redirectLoginFailed="/s
<cfquery name="MM_rsUser" datasource="rewards07">
SELECT registrant_name,Email FROM WebTest WHERE registrant_name=
<cfqueryparam value="#FORM.username#" cfsqltype="cf_sql_clob" maxlength="255">
AND Email=
<cfqueryparam value="#FORM.password#" cfsqltype="cf_sql_clob" maxlength="255">
</cfquery>
<cfif MM_rsUser.RecordCount NEQ 0>
<cftry>
<cflock scope="Session" timeout="30" type="Exclusive">
<cfset Session.MM_Username=FORM.u
<cfset Session.MM_UserAuthorizati
</cflock>
<cfif IsDefined("URL.accessdenie
<cfset MM_redirectLoginSuccess=UR
</cfif>
<cflocation url="#MM_redirectLoginSucc
<cfcatch type="Lock">
<!--- code for handling timeout of cflock --->
</cfcatch>
</cftry>
</cfif>
<cflocation url="#MM_redirectLoginFail
<cfelse>
<cfset MM_LoginAction=CGI.SCRIPT_
<cfif CGI.QUERY_STRING NEQ "">
<cfset MM_LoginAction=MM_LoginAct
</cfif>
</cfif>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<form ACTION="<cfoutput>#MM_logi
<label for="username">Name: </label><input name="username" type="text" id="username"></input>
<label for="password">Email: </label><input name="password" type="text" id="password" ></input>
<input name="submit" type="submit" id="submit" value="submit"></input>
</form>
</body>
</html>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I should add caveats to my solution and add some optimization issues that you or others might want to consider if using my example (it is only meant as a quick and dirty solution):
1) First of all this example solution requires sessions as the storage mechanism for validating current access - this is pretty standard as usually you'll be storing things in their session that are tied to their account - however, there are settings that some users may have that prevent sessions from working properly. Also, depending on your server settings it may be possible for sessionID's to be spoofed. Google "coldfusion security sessions" or similar or check with Adobe for best practices on this subject.
2) As far as optimization, it would actually be better to flip the logic as I have it written in my code example to prevent unnecessary statements from executing on each page-view (this won't be noticable on a low-traffic site, but could become a problem if you start getting millions of hits. The following would be a better optimization (pseudo code):
IF (session value is not defined and numeric) {
IF (form submitted) {
...process form and get values from table...
IF (login matches database) {
...create session value and redirect them to success page...
} ELSE {
...redirect them to the failed page...
}
} ELSE {
...display login page...
}
}
Note that essentially this is just switching the outer <CFIF> around so that if the user is logged in the rest of the code in the block does not execute. This prevents this check logic from firing except in cases where the user has timed out or not logged in to begin with, but escapes it the rest of the time they are on the website.
Glad that helped.. and good luck with CF!
1) First of all this example solution requires sessions as the storage mechanism for validating current access - this is pretty standard as usually you'll be storing things in their session that are tied to their account - however, there are settings that some users may have that prevent sessions from working properly. Also, depending on your server settings it may be possible for sessionID's to be spoofed. Google "coldfusion security sessions" or similar or check with Adobe for best practices on this subject.
2) As far as optimization, it would actually be better to flip the logic as I have it written in my code example to prevent unnecessary statements from executing on each page-view (this won't be noticable on a low-traffic site, but could become a problem if you start getting millions of hits. The following would be a better optimization (pseudo code):
IF (session value is not defined and numeric) {
IF (form submitted) {
...process form and get values from table...
IF (login matches database) {
...create session value and redirect them to success page...
} ELSE {
...redirect them to the failed page...
}
} ELSE {
...display login page...
}
}
Note that essentially this is just switching the outer <CFIF> around so that if the user is logged in the rest of the code in the block does not execute. This prevents this check logic from firing except in cases where the user has timed out or not logged in to begin with, but escapes it the rest of the time they are on the website.
Glad that helped.. and good luck with CF!
[Your Code]:
<cfif IsDefined("URL.accessdenie
<cfset MM_redirectLoginSuccess=UR
</cfif>
Now I'm not sure what is supposed to be FALSE... but that's definitely a problem... should be something like:
<cfif IsDefined("URL.accessdenie
... Then set whatever you really wanted to - I don't think it's right...
</cfif>
Alternately you could write the logic as:
<cfif IsDefined("URL.accessdenie
CF evaluates logic sets in a L to R manner... so in your case that statement will NEVER be true... since even if URL.accessdenied is set to FALSE, the second part of the statement is bascially saying if FALSE=TRUE... which it can't.
I'm gonna play with the behaviors in DW8 and see what else I can see...