CF - Cookie to restrict document DL

I have a cookie login process that works.  It checks for a cookie and if it is present then logs in and if not then they sign up.  They want to have an area like this link example where a document link has a lock symbol.  If you have never signed up then it has a login popup window and if you do then the link works like any other.
http://www.calvert.com/advisor-valueadded.html

Any help is appreciated
<cfquery name="qVerify" datasource="fund_master">
    SELECT ID
    FROM MEMBERS
    WHERE member_username = '#FORM.username#' AND member_password = '#FORM.password#'
</cfquery>

<cfif qVerify.RecordCount>
   
   <!--- this user is good, before actually logging them in, see if their information will be saved for next time --->
     <cfif IsDefined("RememberMe")>
         <!--- members wants their information remembered, so set the cookies --->
          <cfcookie name="username" value="#form.username#" expires="NEVER">
          <cfcookie name="password" value="#form.password#" expires="NEVER">
    <cfelse>
          <!--- member does NOT want their information remember, EXPIRE their cookies NOW so they are deleted for good! --->
          <cfcookie name="username" value="#form.username#" expires="NOW">
          <cfcookie name="password" value="#form.password#" expires="NOW">
    </cfif>

    <!--- now that you're done with the cookie, follow the REGULAR login procedures as you regularly do --->
</cfif>

<cflocation url = "http://www.hotsheet.com" addToken = "no">

Open in new window

<cfif IsDefined("cookie.username")>
    <!--- a cookie exist, so let's put in this username automatically into the form --->
    <cfset username = cookie.username>
<cfelse>
    <!--- a cookie DOES NOT exist, so let's put a blank value in the username field --->
    <cfset username = "">
</cfif>
<cfif IsDefined("cookie.password")>
    <!--- a cookie exist, so let's put in this username automatically into the form --->
    <cfset password = cookie.password>
<cfelse>
    <!--- a cookie DOES NOT exist, so let's put a blank value in the username field --->
    <cfset password = "">
</cfif>



<body>


<cfoutput>

<form action="login_process.cfm" method="post">
   <table width="500" border="0">
      <tr>
        <td width="500" colspan="2"></td>
      </tr>
      <tr>
        <td width="250">Username:</td>
        <td width="250"><input type="text" name="username" value="#username#"></td>
      </tr>
      <tr>
        <td width="250">Password:</td>
        <td width="250"><input type="password" name="password" value="#password#"></td>
      </tr>
      <tr>
        <td width="250">Remember Me</td>
        <td width="250"><input type="checkbox" name="RememberMe" value="Yes"
                                   <cfif IsDefined("cookie.username") OR
                                   IsDefined("cookie.password")> CHECKED</cfif>></td>
      </tr>
      <tr>
        <td width="250"></td>
        <td width="250"><input type="submit" name="Process" value="Login"></td>
      </tr>
   </table>
</form>

</cfoutput>

Open in new window

JohnMac328Asked:
Who is Participating?
 
gdemariaConnect With a Mentor Commented:

That could be lots of things..  Are you using cfparam with your session.allowIn ?   Do you have session.allowIn in your onSessionStart function?

I dont' recommend testing if the variable is defined or not.  I think you should always have it defined and test the value.  That will make your life easier.

If you're using application.cfc, in your onSessionStart put  <cfset session.allowIn = false>

Then on login, change it to true.

Then test when the allowIn value is true or false.

Alternatively, you can use the user's ID.  This will tell you not only if they are logged in but who they are.

<cfif val(session.user_id)>   ---- the user is logged in

<cfelse>  --- the user is not logged in

Testing if a variable is defined is always risky because you really need to keep track of whether or not that variable is ever used in a cfparam or is defined someplace at any time in the future...
0
 
gdemariaCommented:

Seems like you have the general idea already, where are you having problems?

You have three states..

1) No cookie exists, user's first time to website (or so it seems)
2) You know the user, he/she is remembered on site, but needs to login
3) User is logged in


I strongly suggest that you change your approach, however.  You should not store the username and password in the cookies.  That is a big security problem.  All you need to do is store the user's session identifier (or user_id) in the session variable.  That will determine if the user is logged in.   Store a user_id in the cookie (encrypted preferred) as the reminder that the person has been to the site before.  But never store the password, even if they are logged in.  Use the session variable to track logged in or not.
0
 
JohnMac328Author Commented:
I see, how would the code change with using session variable like I am with the cookie?
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
gdemariaCommented:

The session variable has the advantage of not being written to the client's computer.  It's even easier to use and automatically disappears when the session expires (default setting is 20 minutes of no activity).

<cfquery name="qVerify" datasource="fund_master">
    SELECT ID
    FROM MEMBERS
    WHERE member_username = '#FORM.username#' AND member_password = '#FORM.password#'
</cfquery>

<cfset session.user_id = qVerify.ID>


If your code, you can test...

<cfif NOT val(session.user_id)>
   go login...
</cfif>


0
 
JohnMac328Author Commented:
Ok, how would the link be triggered like the submit button is triggered with ifisDefined?
0
 
gdemariaCommented:
Not sure what you mean, can you show me the part of the code you want to update.

I don't understand what it means to trigger a link or a submit button?
0
 
JohnMac328Author Commented:
The link in my question shows the example of clicking on a link and if they are not a member it pops up the login screen.  What code in the link is triggering the login check process?
0
 
gdemariaCommented:

The could would not be associated with any particular page, it would be associated with ANY page that is password protected.   Typically you would check for the login in the application.cfc/ .cfm file.   If the page being accessed requires login, then you test to see if the user is logged in.  If so, you continue, if not, you display the login page...
0
 
Ray PaseurCommented:
I cannot help with the CF part of things, but I have an article here that illustrates the principles using PHP.  Might be worth a read...
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

Best of luck with it, ~Ray
0
 
Pravin AsarPrincipal Systems EngineerCommented:
I believe you are using application.cfm /application.cfc to check of  the session /login.

If so, then it should be much simpler, if download page is cfm

When user clicks on link  page, request will be routed through application.cfm/application.cfc  

If user has not logged in, login form will be displayed.

0
 
JohnMac328Author Commented:
pravinasar - since I will be using a session variable instead of cookies, how do I keep them logged in for the long term.  They want them to be able to select the remember me button so they only have to login once.  This is not sensitive material so security is not of a concern.
0
 
gdemariaCommented:

Usually the remember me button only works for the Username, not the password as well.  

If you were take that approach, it would be a different variable.  A cookie of an encoded username or the user_id or the username itself would work with a NEVER expiration date.

If you really wanted to do the login and make it last forever on the computer (not a good idea), then switch from a session variable to the cookie.   Session variable will not last indefinitely...
0
 
JohnMac328Author Commented:
I see - and as this example shows, when the link to download the file is clicked, it checks for a login and either brings up the login screen or the file is opened.  What code is in the link that triggers that?

http://www.calvert.com/advisor-valueadded.html
0
 
gdemariaCommented:

When you draw the page, determine whether or not the user is logged in at that time.  IF the user IS logged in, provide a link that works for download, if the user is NOT logged in, make the link pop-open a login window...

<cfif val(session.user_id)>
   <a href="download code">Download</a>
<cfelse> <!---- not logged in ----->
   <a href="open login window">Download</a>
</cfif>
0
 
JohnMac328Author Commented:
If it was up to me that would be great.  What they want is people to see what they can have before they sign up so they do sign up.  I wish there was a way to check if a cookie is present in the link so I could trigger the login.
0
 
JohnMac328Author Commented:
I think I see what is happening - they force everyone to sign up for restricted material and automatically include "remember me" so it does not popup next time and they have the signup information they wanted.  How should the remember me option be coded as hidden and default selection be yes?
0
 
JohnMac328Author Commented:
But I still don't see anywhere in the code where they check for the cookie.  I have the code for the page and the popup window.  I have included them in text form popup.txt  page.txt
0
 
gdemariaCommented:
>  What they want is people to see what they can have before they sign up so they do sign up.  

Does does my example not provide this?   When you say "see what they can have" do you mean.. see the link but not be able toopen the document, correct?    If so, that's exactly what my example does.

> - they force everyone to sign up for restricted material and automatically

Right, again, look at my example.  If the user is not logged in, the login page will open instead of the document.

> so it does not popup next time and they have the signup information they wanted

It does not pop up next time, if they are signed in.   My example does that..
0
 
gdemariaCommented:
Does does my example not provide this

should be...

How does my example not provide this?
0
 
JohnMac328Author Commented:
What I see from the code is when the page loads it looks for a login and displays the download links  if the person is logged in - if it does not see a login it pops up with the login signup or is that not correct.  What they want is the login page to only pop up when the file link is clicked to download - just like this link does.

http://www.calvert.com/advisor-valueadded.html
<cfif val(session.user_id)>
   <a href="download code">Download</a>
<cfelse> <!---- not logged in ----->
   <a href="open login window">Download</a>
</cfif>

Open in new window

0
 
gdemariaCommented:


If you look at both sides of the CFIF, both appear to be a link that says "Download", the user sees the same thing either way.   But depending on whether or not the user is logged in, the action of the link is different...

<cfif val(session.user_id)>
   <a href="download code">Download</a>   <====== the user sees DownLoad,  when clicked the file downloads
<cfelse> <!---- not logged in ----->
   <a href="open login window">Download</a>  <!======= the user sees DownLoad, when clicked, the login appears
</cfif>
0
 
JohnMac328Author Commented:
Ok, this might work - in the popup I will determine if they are logged in - if they are how do I open the document in the popup window - not show the link to but open it.
0
 
gdemariaCommented:
when they submit the login, close the popup and refresh the _parent page (main page).  All the links will then work..
0
 
JohnMac328Author Commented:
I must be missing something but I don't get a link to display at all.
<cfparam name="FORM.username" default="">
<cfparam name="FORM.password" default="">
<cfquery name="qVerify" datasource="fund_master">
    SELECT ID
    FROM MEMBERS
    WHERE member_username = '#FORM.username#' AND member_password = '#FORM.password#'
</cfquery>



  <body>
   
		
					<h2 id="90" style="margin-top: 20px;">Investment Concepts</h2>
					
 
			    <table>
                    <tbody>
 				    <tr>
		
						        <td>   
     <cfif qVerify.RecordCount>                                                            
				<cfif IsDefined("cookie.username")>
         <!--- members wants their information remembered, so set the cookies --->
<!---           <cfcookie name="username" value="#form.username#" expires="NEVER">
          <cfcookie name="password" value="#form.password#" expires="NEVER"> --->
    <p><a href="http://localhost/PopUp_Login/dl/book3.xls"><h3>Link to display if they have</h3></a>
	<cfelse>
          <!--- member does NOT want their information remember, EXPIRE their cookies NOW so they are deleted for good! --->
          <!--- <cfcookie name="username" value="#form.username#" expires="NOW">
          <cfcookie name="password" value="#form.password#" expires="NOW"> --->
        <p><A HREF="getpopup.cfm" onClick="return popup(this, 'notes')">Link to login if they have not</A>     
    </cfif>
  </cfif>
                                    
                           
                                   
                                      
						          
						        </td>
						    </tr>
							
 
						    
							
					</tbody>
				</table>
			
				
  </body>
</html>

Open in new window

0
 
gdemariaCommented:
If you don't see this..
  Link to display if they have  

and you also don't see this...
   Link to login if they have not


then it'sbecause this condition is not being met..
<cfif qVerify.RecordCount>

which means your query is not returning any rows.

If the query is returning at least one record, you should see either one of those two statements above
0
 
JohnMac328Author Commented:
I took the verify part out and I get the "Link to login if they have not" - I then click on the link and login through the popup.  It brings me back to the page but it does not display the link "Link to display if they have" which it should since I just logged in.  I replaced the <cfif qVerify.RecordCount> after the login but it still does not show the logged in link
<cfparam name="FORM.username">
<cfparam name="FORM.password">
<cfquery name="qVerify" datasource="fund_master">
    SELECT ID
    FROM MEMBERS
    WHERE member_username = '#FORM.username#' AND member_password = '#FORM.password#'
</cfquery>



  <body>
   
		
					<h2 id="90" style="margin-top: 20px;">Investment Concepts</h2>
					
 
			    <table>
                    <tbody>
 				    <tr>
		
						        <td>   
                                               
				<cfif IsDefined("cookie.username")>
         <!--- members wants their information remembered, so set the cookies --->
      <cfcookie name="username" value="#form.username#" expires="NEVER">
      <cfcookie name="password" value="#form.password#" expires="NEVER"> 
    <p><a href="http://localhost/PopUp_Login/dl/book3.xls"><h3>Link to display if they have</h3></a>
	<cfelse>
          <!--- member does NOT want their information remember, EXPIRE their cookies NOW so they are deleted for good! --->
          <cfcookie name="username" value="#form.username#" expires="NOW">
          <cfcookie name="password" value="#form.password#" expires="NOW"> 
        <p><A HREF="getpopup.cfm" onClick="return popup(this, 'notes')">Link to login if they have not</A>     
    </cfif>

Open in new window

0
 
gdemariaCommented:
Did you refresh the main page after the login is complete?

You can use javascript to just send the page back to the same location,

something like this..

<script>
  top.href.location = top.href.location
</script>

0
 
JohnMac328Author Commented:
At this time it is taking me to the login form as a separate page and not a popup so it is refreshing when the form action brings up the  page.cfm after the form is submitted.
0
 
gdemariaCommented:
> At this time it is taking me to the login form as a separate page and not a popup so it is refreshing when the form action brings up the  page.cfm after the form is submitted

Ok.   Is that what you want?

That's all the easier, if it's not a pop-up and you're just going to another page, then after login, when you return to the listing page, the links should all be downloads.   If they are not, then you are either not logged in or your CFIF statement for the links isn't accurately checking your login status

0
 
JohnMac328Author Commented:
For some reason I am getting this error and it makes no sense.  I have included the code on the page
The required parameter FORM.USERNAME was not provided.  
This page uses the cfparam tag to declare the parameter FORM.USERNAME as required for this template. The parameter is not available. Ensure that you have passed or initialized the parameter correctly. To set a default value for the parameter, use the default attribute of the cfparam tag.  
 
The error occurred in C:\Inetpub\wwwroot\PopUp_Login\page.cfm: line 1
 
1 : <!DOCTYPE>
2 : <html xmlns="http://www.w3.org/1999/xhtml">
3 :   <head>
 

<!DOCTYPE>
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>

  </head>
<cfparam name="FORM.username">
<cfparam name="FORM.password">
<cfquery name="qVerify" datasource="fund_master">
    SELECT ID
    FROM MEMBERS
    WHERE member_username = '#FORM.username#' AND member_password = '#FORM.password#'
</cfquery>



  <body>
   
		
					<h2 id="90" style="margin-top: 20px;">Investment Concepts</h2>
					
 
			    <table>
                    <tbody>
 				    <tr>
		
						        <td>   
                 <cfif qVerify.RecordCount>                              
				<cfif IsDefined("cookie.username")>
         <!--- members wants their information remembered, so set the cookies --->
      <cfcookie name="username" value="#form.username#" expires="NEVER">
      <cfcookie name="password" value="#form.password#" expires="NEVER"> 
    <p><a href="http://localhost/PopUp_Login/dl/book3.xls"><h3>Link to display if they have</h3></a>
	<cfelse>
          <!--- member does NOT want their information remember, EXPIRE their cookies NOW so they are deleted for good! --->
          <cfcookie name="username" value="#form.username#" expires="NOW">
          <cfcookie name="password" value="#form.password#" expires="NOW"> 
        <p><A HREF="getpopup.cfm" onClick="return popup(this, 'notes')">Link to login if they have not</A>     
    </cfif>
   </cfif>

Open in new window

0
 
gdemariaCommented:
The cfparam command used without the default="" parameter performs a test.  

If the variable does not exist, it will not define it, it will throw an error.   So you are not passing the form.username to this template


If you were to change the cfparam to include default, then it would set the value and not throw an error

<cfparam name="FORM.username" default="">

But if you want to ensure the template is getting the username value from somewhere else (such as a form post) then you can keep the cfparam command as it is.   In this case, you need to figure out why you are not passing the username to the template.  

0
 
JohnMac328Author Commented:
I am going to use a login with sessionID and if they don't like it - too bad.  In this code I want to set Session.CFToken to never expire - is this where it goes and what is the syntax?
<cfif qVerify.RecordCount>
    <!--- This user has logged in correctly, change the value of the session.allowin value --->
    <cfset session.allowin = "True">
    <cfset session.user_id = qVerify.user_id>
    <!--- Now welcome user and redirect to "members_only.cfm" --->
    <script>
         alert("Welcome user, you have been successfully logged in!");
         self.location="members_only.cfm";
    </script>
<cfelse>

Open in new window

0
 
gdemariaCommented:

I don't know that you can set a session to never expire.  But if you could, I definitely would not do that.  That would mean every user's session would be on your SERVER forever, at least until your server got overwhelmed and shutdown..

If you really really want to have a login last forever (not recommended), then use a cookie.  Any user visiting that computer will be able to access that person's account even two years later..

At least you could have it so the cookie expired every 2 weeks or something..

0
 
JohnMac328Author Commented:
I thought it was storing a cookie from this I read

Session.CFToken

ColdFusion session management only: the client security token, normally stored on the client system as a cookie.
0
 
gdemariaCommented:

Coldfusion session management does place a couple of cookies on the client's PC.  These cookies act as a pointer using a unique identifer, to the store of data kept on the CF server.

So you can define 100 session variables and the cookie on the clien't computer will point to that set of 100 variables.  The 100 session variables are not stored on the PC, they are stored on the server for as long as the session is active.

0
 
JohnMac328Author Commented:
I see.  Now I have the session timout set to 1 min for testing.  No matter what I keep getting the first link to display and the second one never does.
<cfif IsDefined("SESSION.allowin")>
    <p><a href="http://localhost/PopUp_Login/dl/book3.xls"><h3>Link to display if they have</h3></a>
	<cfelse>
    <p><A HREF="getpopup.cfm" onClick="return popup(this, 'notes')">Link to login if they have not</A>     
    </cfif>

Open in new window

0
 
JohnMac328Author Commented:
Wait - I used this and it worked

<cfscript>
   StructClear(Session);
</cfscript>
0
 
JohnMac328Author Commented:
Here is login process and application.cfm, I will add a userid
<cfquery name="qVerify" datasource="userLogin">
    SELECT             user_id, user_name, user_pass
    FROM                tblAdmins
    WHERE              user_name = '#user_name#'
                     AND user_pass = '#user_pass#'
</cfquery>

<cfif qVerify.RecordCount>
    <!--- This user has logged in correctly, change the value of the session.allowin value --->
    <cfset session.allowin = "True">
    <cfset session.user_id = qVerify.user_id>
    <!--- Now welcome user and redirect to "members_only.cfm" --->
    <script>
         alert("Welcome user, you have been successfully logged in!");
         <!--- self.location="members_only.cfm"; --->
		 self.location="page.cfm";
    </script>
<cfelse>
    <!--- this user did not log in correctly, alert and redirect to the login page --->
    <script>
        alert("Your credentials could not be verified, please try again!!!");
        self.location="Javascript:history.go(-1)";
    </script>
</cfif>

Open in new window

<cfapplication name="MyApp" clientmanagement="Yes"
                    sessionmanagement="Yes"
                    sessiontimeout="#CreateTimeSpan(0,0,1,0)#"
                    applicationtimeout="#CreateTimeSpan(0,2,0,0)#">

<!--- Now define that this user is logged out by default --->
<CFPARAM NAME="session.allowin" DEFAULT="false">

<!--- Now define this user id to zero by default, this will be used later on to access specific information about this user. --->
<CFPARAM NAME="session.user_id" DEFAULT="0">

<!--- Now if the variable "session.allowin" does not equal true, send user to the login page --->
<!---
        the other thing you must check for is if the page calling this application.cfm is the "login.cfm" page 
        and the "Login_process.cfm" page since the Application.cfm is always called, if this is not checked 
        the application will simply Loop over and over. To check that, you do the following call 

--->
<cfif session.allowin neq "true">
      <cfif ListLast(CGI.SCRIPT_NAME, "/") EQ "login.cfm">
      <cfelseif ListLast(CGI.SCRIPT_NAME, "/") EQ "login_process.cfm">
      <cfelse>
      <!--- this user is not logged in, alert user and redirect to the login.cfm page --->
         <script>
                 alert("You must login to access this area!");
                 self.location="login.cfm";
         </script>
         <!--- Now abort the page --->
         <cfabort />
      </cfif>
</cfif>

Open in new window

0
 
JohnMac328Author Commented:
It's working with the session userid check so that should be good to go with this ticket. Thanks for your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.