Application login problem

ColdFusion 9
Windows server 2008

Problem in brief: Can't log in.

Details:
This is the same code the gdemaria and _agx_ have helped me with, some years ago. I use this code to set up basic session authentication. There are three files:

application.cfc
loginform.cfm
loginerror.cfm

On other web sites, the code seems to work fine. In this case:

http://www.osm-vista.org/loginform.cfm

The login credentials do not work, and the login error message does not display. When I submit credentials, the login form simply refreshes and I am not allowed to see the protected directory: http://www.osm-vista.org/data/

I've looked at this for a long time ... what am I missing?

I attach the three files, below. Thank you as always.

Eric

application.cfc:

<!--- Filename: Application.cfc
 Created by: Raymond Camden (ray@camdenfamily.com)
 Modified by: Eric B, gdemaria, _agx_ July 2010 --->

<cfcomponent output="false">

  <!--- Name the application. --->
  <cfset this.name="OSM / VISTA Teams">
  
  <cfset this.applicationTimeout = CreateTimeSpan(0,0,360,0)>
  
  <!--- Turn on session management. --->
  <cfset this.sessionManagement="true">
  
  <!--- Set session timeout period --->
  <cfset this.sessionTimeout = CreateTimeSpan(0,0,360,0)>

  <cfset this.clientManagement = "false">


  
<!--- function: onApplicationStart --->
  <cffunction name="onApplicationStart" output="false" returnType="void">

    <!--- Any variables set here can be used by all of the application's pages --->
    <cfset APPLICATION.dataSource = "osmVISTA">
   
    
<!--- Set up Application variables. Locking the Application scope is not necessary in this method. --->
		<cfset Application.configured = 1>
		<cfset Application.datetimeConfigured = TimeFormat(Now(), "hh:mm tt") & "  " & DateFormat(Now(), "mm.dd.yyyy")>
		<cfset Application.currentSessions = 0>
  
  </cffunction> 
  
   
    <cffunction name="clearSessionVariables" returntype="void">
      <!--- defined all session variables, so they will always exist ---->
      <cfset session.auth = structNew()>
      <cfset session.auth.isLoggedIn  = false>
      <cfset session.auth.UserID  = "">
      <cfset session.auth.Title   = "">
      <cfset session.auth.FirstName   = "">
      <cfset session.auth.MiddleInitial   = "">
      <cfset session.auth.LastName    = "">
      <cfset session.auth.Address    = "">
      <cfset session.auth.City    = "">
      <cfset session.auth.State    = "">
      <cfset session.auth.ZIP    = "">
      <cfset session.auth.Telephone   = "">
      <cfset session.auth.UserEmail    = "">
      <cfset session.auth.UserPassword    = "">
      <cfset session.auth.UserRoleID  = "">
      <cfset session.auth.lastError  = "">
  </cffunction>
  
  <cffunction name="onSessionStart" returntype="void">
      <!--- defined all session variables, so they will always exist ---->
      <cfset clearSessionVariables()>
  </cffunction>
  

<!--- function: onRequestStart ---> 

<cffunction name="onRequestStart">
<cfargument type="String" name="targetPage" required="true" /> 

<!--- All these folders/top level files require a login, specific roles are addressed below ---->  
    <cfset var securefolders = "admin,data">  
    <cfset var currentFolder = listFirst(cgi.script_name,"/")>  
	<cfset REQUEST.companyName = "Office of Surface Mining and Reclamation Enforcement and AmeriCorps / VISTA Document Library">
    <cfset REQUEST.userTable = "OSMVISTAUsers">



<!--- process login credentials --->

 <!--- begin cfif isDefined("form.UserEmail") and isDefined("form.userPassword") ---> 
    <cfif isDefined("form.UserEmail") and isDefined("form.userPassword") and isDefined("form.doLogin")>
     
   
         <!--- check box to remember UserEmail was checked, so make a cookie for it ---> 
                <cfif isDefined("form.SaveUserEmail") and form.SaveUserEmail is "Yes"> 
          <cfcookie name="SaveUserEmail" value="#form.UserEmail#" expires="7"> 
        </cfif> 
         
        <!--- user is attempting to log in, so process the login request ----> 
        <cfif NOT checkLogin(form.UserEmail, form.userPassword)> 
           <cfinclude template="/LoginError.cfm"> <!--- login failed, so show login error form ----> 
           <cfreturn false>  
           <!--- close cfif NOT checkLogin(form.UserEmail, form.userPassword) ---> 
        </cfif> 
    <!--- close cfif isDefined("form.UserEmail") and isDefined("form.userPassword") and isDefined("form.doLogin") ---> 
    </cfif> 
 
<!--- /process login credentials --->


<cftry>

<!--- test for access to secureFolders --->
     <cfif listFindNoCase(secureFolders, currentFolder)>  <!---- are we in a secure area? --->  
       <cfif session.auth.isLoggedIn is False> <!--- This is a secure area, if the user is not logged in, go to login page ---->  
           <cfinclude template="/LoginForm.cfm">
            <cfthrow message="Please log in with proper credentials to access this area.">
           <cfabort>  
       <cfelse> <!--- the user is logged in, then check roles ---->  
           <cfswitch expression="#currentFolder#">  
              <cfcase value="admin">  
                  <cfif listFind("1",session.auth.UserRoleID) eq 0> <!---- UserIDRole 1 has access to folder admin --->  
                      <cfinclude template="/LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfcase value="data">  
                  <cfif listFind("1,3",session.auth.UserRoleID) eq 0>  <!---- UserIDRoles 1, 3 have access to folder data --->  
                      <cfinclude template="/LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfdefaultcase> <!---- all other secure folders ---->  
              </cfdefaultcase>  
           </cfswitch>  
       </cfif> <!---- end if user is logged in or not ---->  
    </cfif>  <!---- end if user is in a secure area or not ---->  
    
    <!--- /test for access to secureFolders --->
         
      <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>

    
    
         
         
             <!--- if query_string contains cast(, then abort! --->                                              
    <cfif cgi.query_string contains "cast(">
      <cfabort>
    </cfif>
    
              <!--- if query_string contains replace(, then abort! --->                                              
    <cfif cgi.query_string contains "replace(">
      <cfabort>
    </cfif>

   </cffunction>
  <!--- close function: onRequestStart --->
 
 
 <!--- begin cfif isDefined("form.doLogin") --->
    <cfif isDefined("form.doLogin")>
    
     
<!--- begin function checkLogin --->
<cffunction name="checkLogin">

  <cfargument name="p_UserEmail" required=false default="" />
  <cfargument name="p_password" required=false default="" />

  <cfset var UserPassword = trim(arguments.p_password)>
  <cfset var UserEmail     = trim(arguments.p_UserEmail)>
  <cfset var getUser = "">

  <cftry>
      <cfif len(UserPassword) eq 0 or len(UserEmail) eq 0>
         <cfthrow message="Please enter UserEmail and password">
      </cfif> 
    
      <cfquery name="getUser" datasource="#APPLICATION.dataSource#">
       SELECT UserID, FirstName, UserRoleID, UserEmail, UserPassword
        FROM #REQUEST.userTable#
       WHERE UserEmail = <cfqueryparam cfsqltype="cf_sql_varchar" value="#UserEmail#" maxlength="255"> 
      </cfquery>
      <cfif getuser.recordCount eq 0>
        <cfthrow message="Incorrect email address and/or password. Be sure to enter the correct, original email address with which you registered. Please type your password carefully.">
      <cfelseif getUser.UserPassword is not UserPassword>
        <cfthrow message="Invalid Password.">
       </cfif>
    
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.isLoggedIn = "Yes">
      <cfset SESSION.auth.UserID     = getUser.UserID>
      <cfset SESSION.auth.FirstName  = getUser.firstName>
      <cfset SESSION.auth.UserRoleID = getUser.UserRoleID>
      <cfset SESSION.auth.UserEmail  = getUser.UserEmail>
      <cfset SESSION.auth.lastError  = "">
      
 
 <!--- Now that user is logged in, send user to folder /data/ --->

 <cflocation url="/data/" addtoken="no">
      
      <cfreturn true>
      
      
  <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>
    
</cffunction>
<!--- close function checkLogin --->

      <!--- close cfif isDefined("form.doLogin") --->
    </cfif>


</cfcomponent>

Open in new window



loginform.cfm:

<!--- 
 Filename: LoginForm.cfm
 Created by: Nate Weiss (NMW)
 Modified by: Eric B, gdemaria, July 2010
 Purpose: Presented whenever a user has not logged in
 Please Note Included by Application.cfc
--->

<!DOCTYPE html>
<html lang="en">
<head>
<title><cfoutput>#REQUEST.companyName#</cfoutput></title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

<meta name="Description" content="<cfoutput>#REQUEST.companyName#</cfoutput>" />


<cfinclude template="/kickstart.cfm">


<link rel="stylesheet" type="text/css" href="/style.css" media="all" />                          <!-- CUSTOM STYLES -->
<link rel="stylesheet" type="text/css" href="http://manage.ebwebwork.com/adminStyle.css" media="all" />
</head>


<body class="center">
<div id="wrap" class="clearfix">
  <!-- ===================================== END HEADER ===================================== -->
  
  
  
  <div class="col_12">

<h1><cfoutput>#REQUEST.companyName#</cfoutput></h1>


 <hr />
  
  

	<h3 style="color:#ccc;">Hi, <cfoutput>#REQUEST.companyName#</cfoutput>. Please log in.</h3>



<form name="LoginForm" method="post" class="ebwebworkForm">

 <p class="italic blue">Username:<br />
 <input autofocus required
 type="text"
 name="x_email"
 size="50"
 value=""
 maxlength="50" /></p>

  <p class="italic blue">Password:<br />
 <input required
 type="password"
 name="UserPassword"
 size="50"
 value=""
 maxlength="50" /></p>



 <input type="submit" value="Click To Log In" name="doLogin" />
 

 
</form>



<p style="margin-top:40px;">Kindly use Firefox or Chrome. Occasionally, please fully clear browser history, including cookies and cache. <a href="http://manage.ebwebwork.com/pages/How-do-I-clear-my-web-browser-history.cfm">More &raquo;</a></p>


  </div><!--- /col_12 --->
  

</div><!---  /wrap--->

<div id="ebwebwork"><a href="http://ebwebwork.com/"><i class="icon-leaf" style="color:#6b9900;"></i> management system by ebwebwork</a></div>
</body></html>

Open in new window


loginerror.cfm:
<!--- 
 Filename: LoginForm.cfm
 Created by: Nate Weiss (NMW)
 Modified by: Eric B, gdemaria, July 2010
 Purpose: Presented whenever a user has not logged in
 Please Note Included by Application.cfc
--->

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title><cfoutput>#REQUEST.companyName#</cfoutput></title>

<meta name="Description" content="<cfoutput>#REQUEST.companyName#</cfoutput>" />

<cfinclude template="/kickstart.cfm">


<link rel="stylesheet" type="text/css" href="/style.css" media="all" />                          <!-- CUSTOM STYLES -->
<link rel="stylesheet" type="text/css" href="http://manage.ebwebwork.com/adminStyle.css" media="all" />	
</head>


<body class="center">
<div id="wrap" class="clearfix">
  <!-- ===================================== END HEADER ===================================== -->
  
  
  
  <div class="col_12" style="min-height:800px;"><!---col12--->


  <h1>You have tried to view a page to which you do not have rights.</h1>
  
  
  <h1><a href="javascript:history.go(-1)">Please go back.</a></h1>
  
  <p>&nbsp;</p>
    <p>&nbsp;</p>
      <p>&nbsp;</p>
  
</div><!---/col_12--->

</div><!---/wrap--->
</body></html>

Open in new window

LVL 3
Eric BourlandAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gdemariaCommented:
Hi Eric - what brilliant code!   A true masterpiece... ;)

When troubleshooting, first thing to do is find out where the code goes and does not go when the form is submitted.  I like to put "flags" around the code to see if they show.   Something just as simple has <h1>AAA</h1> and <h1>BBB</h1> to see if AAA and BBB appear on the screen.   Here you can do this in your application.cfc file to see if you are entering the login portion of the code.    Which is defined by this part...

<h1>AAAA</h1>
<cfif isDefined("form.UserEmail") and isDefined("form.userPassword") and isDefined("form.doLogin")>
    <h1>BBBB</h1>
   
In this case, if you were to try this, I think you would see AAA but not BBBB because I think the code never enters the CFIF statement.   So then we check each condition (there are three conditions that have to be met, the existance of userEmail, userPassword and doLogin).   But these three do not exist.  

Looking at the login form, the fields are not all named like this...

<input autofocus required
 type="text"
 name="x_email"
 size="50"
 value=""
 maxlength="50" /></p>


This input tag is named x_email and not username.   I suggest changing the name to username to see if it works, also check the name of the password field and see if you get further...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
_agx_Commented:
Edit: Never mind.  While I was busy gabbing, GD beat me too it ;-)

The code is checking for "form.UserEmail", but the form field name is actually:

    <input name="x_email" ..>


Change it to UserEmail and it should work.

 <!--- begin cfif isDefined("form.doLogin") --->
    <cfif isDefined("form.doLogin")>
        <!--- begin function checkLogin --->
        <cffunction name="checkLogin"></cffunction>
    </cfif>

Open in new window


As an aside, that doesn't look right to me. Normally you wouldn't wrap function declaration inside a CFIF.
0
Eric BourlandAuthor Commented:
Yep -- it's the input for x_email. Sigh.

I've only been staring at this for four hours. How do I miss this one simple thing?

Fixing it now =)

Thank you both! E
0
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Eric BourlandAuthor Commented:
That worked. I forgot to update the INPUT with the correct form field name.

I wonder why loginerror.cfm did not display?
0
_agx_Commented:
>> How do I miss this one simple thing?

The brain sees what it expects to see ;-) Happened to me yesterday.

>> I wonder why loginerror.cfm did not display?

Due to the difference in field name, it fails this condition:

           <cfif isDefined("form.UserEmail") ....

So the login code never even executes.
0
Eric BourlandAuthor Commented:
That's it. =) Got it.
0
Eric BourlandAuthor Commented:
It is indeed brilliant code!

Tomorrow my ISP is upgrading ColdFusion on my server from version 9 to version 11. I don't think I use any deprecated tags on any of my sites. But, this should be interesting. ;-)

gdemaria and _agx_, thank you as always. Have a great evening.

Eric
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.