Solved

Application login problem

Posted on 2014-12-11
7
117 Views
Last Modified: 2014-12-11
ColdFusion 9
Windows server 2008

Problem in brief: Can't log in.

Details:
This is the same code the gdemaria and _agx_ have helped me with, some years ago. I use this code to set up basic session authentication. There are three files:

application.cfc
loginform.cfm
loginerror.cfm

On other web sites, the code seems to work fine. In this case:

http://www.osm-vista.org/loginform.cfm

The login credentials do not work, and the login error message does not display. When I submit credentials, the login form simply refreshes and I am not allowed to see the protected directory: http://www.osm-vista.org/data/

I've looked at this for a long time ... what am I missing?

I attach the three files, below. Thank you as always.

Eric

application.cfc:

<!--- Filename: Application.cfc
 Created by: Raymond Camden (ray@camdenfamily.com)
 Modified by: Eric B, gdemaria, _agx_ July 2010 --->

<cfcomponent output="false">

  <!--- Name the application. --->
  <cfset this.name="OSM / VISTA Teams">
  
  <cfset this.applicationTimeout = CreateTimeSpan(0,0,360,0)>
  
  <!--- Turn on session management. --->
  <cfset this.sessionManagement="true">
  
  <!--- Set session timeout period --->
  <cfset this.sessionTimeout = CreateTimeSpan(0,0,360,0)>

  <cfset this.clientManagement = "false">


  
<!--- function: onApplicationStart --->
  <cffunction name="onApplicationStart" output="false" returnType="void">

    <!--- Any variables set here can be used by all of the application's pages --->
    <cfset APPLICATION.dataSource = "osmVISTA">
   
    
<!--- Set up Application variables. Locking the Application scope is not necessary in this method. --->
		<cfset Application.configured = 1>
		<cfset Application.datetimeConfigured = TimeFormat(Now(), "hh:mm tt") & "  " & DateFormat(Now(), "mm.dd.yyyy")>
		<cfset Application.currentSessions = 0>
  
  </cffunction> 
  
   
    <cffunction name="clearSessionVariables" returntype="void">
      <!--- defined all session variables, so they will always exist ---->
      <cfset session.auth = structNew()>
      <cfset session.auth.isLoggedIn  = false>
      <cfset session.auth.UserID  = "">
      <cfset session.auth.Title   = "">
      <cfset session.auth.FirstName   = "">
      <cfset session.auth.MiddleInitial   = "">
      <cfset session.auth.LastName    = "">
      <cfset session.auth.Address    = "">
      <cfset session.auth.City    = "">
      <cfset session.auth.State    = "">
      <cfset session.auth.ZIP    = "">
      <cfset session.auth.Telephone   = "">
      <cfset session.auth.UserEmail    = "">
      <cfset session.auth.UserPassword    = "">
      <cfset session.auth.UserRoleID  = "">
      <cfset session.auth.lastError  = "">
  </cffunction>
  
  <cffunction name="onSessionStart" returntype="void">
      <!--- defined all session variables, so they will always exist ---->
      <cfset clearSessionVariables()>
  </cffunction>
  

<!--- function: onRequestStart ---> 

<cffunction name="onRequestStart">
<cfargument type="String" name="targetPage" required="true" /> 

<!--- All these folders/top level files require a login, specific roles are addressed below ---->  
    <cfset var securefolders = "admin,data">  
    <cfset var currentFolder = listFirst(cgi.script_name,"/")>  
	<cfset REQUEST.companyName = "Office of Surface Mining and Reclamation Enforcement and AmeriCorps / VISTA Document Library">
    <cfset REQUEST.userTable = "OSMVISTAUsers">



<!--- process login credentials --->

 <!--- begin cfif isDefined("form.UserEmail") and isDefined("form.userPassword") ---> 
    <cfif isDefined("form.UserEmail") and isDefined("form.userPassword") and isDefined("form.doLogin")>
     
   
         <!--- check box to remember UserEmail was checked, so make a cookie for it ---> 
                <cfif isDefined("form.SaveUserEmail") and form.SaveUserEmail is "Yes"> 
          <cfcookie name="SaveUserEmail" value="#form.UserEmail#" expires="7"> 
        </cfif> 
         
        <!--- user is attempting to log in, so process the login request ----> 
        <cfif NOT checkLogin(form.UserEmail, form.userPassword)> 
           <cfinclude template="/LoginError.cfm"> <!--- login failed, so show login error form ----> 
           <cfreturn false>  
           <!--- close cfif NOT checkLogin(form.UserEmail, form.userPassword) ---> 
        </cfif> 
    <!--- close cfif isDefined("form.UserEmail") and isDefined("form.userPassword") and isDefined("form.doLogin") ---> 
    </cfif> 
 
<!--- /process login credentials --->


<cftry>

<!--- test for access to secureFolders --->
     <cfif listFindNoCase(secureFolders, currentFolder)>  <!---- are we in a secure area? --->  
       <cfif session.auth.isLoggedIn is False> <!--- This is a secure area, if the user is not logged in, go to login page ---->  
           <cfinclude template="/LoginForm.cfm">
            <cfthrow message="Please log in with proper credentials to access this area.">
           <cfabort>  
       <cfelse> <!--- the user is logged in, then check roles ---->  
           <cfswitch expression="#currentFolder#">  
              <cfcase value="admin">  
                  <cfif listFind("1",session.auth.UserRoleID) eq 0> <!---- UserIDRole 1 has access to folder admin --->  
                      <cfinclude template="/LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfcase value="data">  
                  <cfif listFind("1,3",session.auth.UserRoleID) eq 0>  <!---- UserIDRoles 1, 3 have access to folder data --->  
                      <cfinclude template="/LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfdefaultcase> <!---- all other secure folders ---->  
              </cfdefaultcase>  
           </cfswitch>  
       </cfif> <!---- end if user is logged in or not ---->  
    </cfif>  <!---- end if user is in a secure area or not ---->  
    
    <!--- /test for access to secureFolders --->
         
      <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>

    
    
         
         
             <!--- if query_string contains cast(, then abort! --->                                              
    <cfif cgi.query_string contains "cast(">
      <cfabort>
    </cfif>
    
              <!--- if query_string contains replace(, then abort! --->                                              
    <cfif cgi.query_string contains "replace(">
      <cfabort>
    </cfif>

   </cffunction>
  <!--- close function: onRequestStart --->
 
 
 <!--- begin cfif isDefined("form.doLogin") --->
    <cfif isDefined("form.doLogin")>
    
     
<!--- begin function checkLogin --->
<cffunction name="checkLogin">

  <cfargument name="p_UserEmail" required=false default="" />
  <cfargument name="p_password" required=false default="" />

  <cfset var UserPassword = trim(arguments.p_password)>
  <cfset var UserEmail     = trim(arguments.p_UserEmail)>
  <cfset var getUser = "">

  <cftry>
      <cfif len(UserPassword) eq 0 or len(UserEmail) eq 0>
         <cfthrow message="Please enter UserEmail and password">
      </cfif> 
    
      <cfquery name="getUser" datasource="#APPLICATION.dataSource#">
       SELECT UserID, FirstName, UserRoleID, UserEmail, UserPassword
        FROM #REQUEST.userTable#
       WHERE UserEmail = <cfqueryparam cfsqltype="cf_sql_varchar" value="#UserEmail#" maxlength="255"> 
      </cfquery>
      <cfif getuser.recordCount eq 0>
        <cfthrow message="Incorrect email address and/or password. Be sure to enter the correct, original email address with which you registered. Please type your password carefully.">
      <cfelseif getUser.UserPassword is not UserPassword>
        <cfthrow message="Invalid Password.">
       </cfif>
    
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.isLoggedIn = "Yes">
      <cfset SESSION.auth.UserID     = getUser.UserID>
      <cfset SESSION.auth.FirstName  = getUser.firstName>
      <cfset SESSION.auth.UserRoleID = getUser.UserRoleID>
      <cfset SESSION.auth.UserEmail  = getUser.UserEmail>
      <cfset SESSION.auth.lastError  = "">
      
 
 <!--- Now that user is logged in, send user to folder /data/ --->

 <cflocation url="/data/" addtoken="no">
      
      <cfreturn true>
      
      
  <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>
    
</cffunction>
<!--- close function checkLogin --->

      <!--- close cfif isDefined("form.doLogin") --->
    </cfif>


</cfcomponent>

Open in new window



loginform.cfm:

<!--- 
 Filename: LoginForm.cfm
 Created by: Nate Weiss (NMW)
 Modified by: Eric B, gdemaria, July 2010
 Purpose: Presented whenever a user has not logged in
 Please Note Included by Application.cfc
--->

<!DOCTYPE html>
<html lang="en">
<head>
<title><cfoutput>#REQUEST.companyName#</cfoutput></title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

<meta name="Description" content="<cfoutput>#REQUEST.companyName#</cfoutput>" />


<cfinclude template="/kickstart.cfm">


<link rel="stylesheet" type="text/css" href="/style.css" media="all" />                          <!-- CUSTOM STYLES -->
<link rel="stylesheet" type="text/css" href="http://manage.ebwebwork.com/adminStyle.css" media="all" />
</head>


<body class="center">
<div id="wrap" class="clearfix">
  <!-- ===================================== END HEADER ===================================== -->
  
  
  
  <div class="col_12">

<h1><cfoutput>#REQUEST.companyName#</cfoutput></h1>


 <hr />
  
  

	<h3 style="color:#ccc;">Hi, <cfoutput>#REQUEST.companyName#</cfoutput>. Please log in.</h3>



<form name="LoginForm" method="post" class="ebwebworkForm">

 <p class="italic blue">Username:<br />
 <input autofocus required
 type="text"
 name="x_email"
 size="50"
 value=""
 maxlength="50" /></p>

  <p class="italic blue">Password:<br />
 <input required
 type="password"
 name="UserPassword"
 size="50"
 value=""
 maxlength="50" /></p>



 <input type="submit" value="Click To Log In" name="doLogin" />
 

 
</form>



<p style="margin-top:40px;">Kindly use Firefox or Chrome. Occasionally, please fully clear browser history, including cookies and cache. <a href="http://manage.ebwebwork.com/pages/How-do-I-clear-my-web-browser-history.cfm">More &raquo;</a></p>


  </div><!--- /col_12 --->
  

</div><!---  /wrap--->

<div id="ebwebwork"><a href="http://ebwebwork.com/"><i class="icon-leaf" style="color:#6b9900;"></i> management system by ebwebwork</a></div>
</body></html>

Open in new window


loginerror.cfm:
<!--- 
 Filename: LoginForm.cfm
 Created by: Nate Weiss (NMW)
 Modified by: Eric B, gdemaria, July 2010
 Purpose: Presented whenever a user has not logged in
 Please Note Included by Application.cfc
--->

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title><cfoutput>#REQUEST.companyName#</cfoutput></title>

<meta name="Description" content="<cfoutput>#REQUEST.companyName#</cfoutput>" />

<cfinclude template="/kickstart.cfm">


<link rel="stylesheet" type="text/css" href="/style.css" media="all" />                          <!-- CUSTOM STYLES -->
<link rel="stylesheet" type="text/css" href="http://manage.ebwebwork.com/adminStyle.css" media="all" />	
</head>


<body class="center">
<div id="wrap" class="clearfix">
  <!-- ===================================== END HEADER ===================================== -->
  
  
  
  <div class="col_12" style="min-height:800px;"><!---col12--->


  <h1>You have tried to view a page to which you do not have rights.</h1>
  
  
  <h1><a href="javascript:history.go(-1)">Please go back.</a></h1>
  
  <p>&nbsp;</p>
    <p>&nbsp;</p>
      <p>&nbsp;</p>
  
</div><!---/col_12--->

</div><!---/wrap--->
</body></html>

Open in new window

0
Comment
Question by:Eric Bourland
  • 4
  • 2
7 Comments
 
LVL 39

Accepted Solution

by:
gdemaria earned 250 total points
Comment Utility
Hi Eric - what brilliant code!   A true masterpiece... ;)

When troubleshooting, first thing to do is find out where the code goes and does not go when the form is submitted.  I like to put "flags" around the code to see if they show.   Something just as simple has <h1>AAA</h1> and <h1>BBB</h1> to see if AAA and BBB appear on the screen.   Here you can do this in your application.cfc file to see if you are entering the login portion of the code.    Which is defined by this part...

<h1>AAAA</h1>
<cfif isDefined("form.UserEmail") and isDefined("form.userPassword") and isDefined("form.doLogin")>
    <h1>BBBB</h1>
   
In this case, if you were to try this, I think you would see AAA but not BBBB because I think the code never enters the CFIF statement.   So then we check each condition (there are three conditions that have to be met, the existance of userEmail, userPassword and doLogin).   But these three do not exist.  

Looking at the login form, the fields are not all named like this...

<input autofocus required
 type="text"
 name="x_email"
 size="50"
 value=""
 maxlength="50" /></p>


This input tag is named x_email and not username.   I suggest changing the name to username to see if it works, also check the name of the password field and see if you get further...
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 250 total points
Comment Utility
Edit: Never mind.  While I was busy gabbing, GD beat me too it ;-)

The code is checking for "form.UserEmail", but the form field name is actually:

    <input name="x_email" ..>


Change it to UserEmail and it should work.

 <!--- begin cfif isDefined("form.doLogin") --->
    <cfif isDefined("form.doLogin")>
        <!--- begin function checkLogin --->
        <cffunction name="checkLogin"></cffunction>
    </cfif>

Open in new window


As an aside, that doesn't look right to me. Normally you wouldn't wrap function declaration inside a CFIF.
0
 
LVL 3

Author Comment

by:Eric Bourland
Comment Utility
Yep -- it's the input for x_email. Sigh.

I've only been staring at this for four hours. How do I miss this one simple thing?

Fixing it now =)

Thank you both! E
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 3

Author Comment

by:Eric Bourland
Comment Utility
That worked. I forgot to update the INPUT with the correct form field name.

I wonder why loginerror.cfm did not display?
0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
>> How do I miss this one simple thing?

The brain sees what it expects to see ;-) Happened to me yesterday.

>> I wonder why loginerror.cfm did not display?

Due to the difference in field name, it fails this condition:

           <cfif isDefined("form.UserEmail") ....

So the login code never even executes.
0
 
LVL 3

Author Comment

by:Eric Bourland
Comment Utility
That's it. =) Got it.
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
Comment Utility
It is indeed brilliant code!

Tomorrow my ISP is upgrading ColdFusion on my server from version 9 to version 11. I don't think I use any deprecated tags on any of my sites. But, this should be interesting. ;-)

gdemaria and _agx_, thank you as always. Have a great evening.

Eric
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

CFGRID Custom Functionality Series -  Part 1 Hi Guys, I was once asked how it is possible to to add a hyperlink in the cfgrid and open the window to show the data. Now this is quite simple, I have to use the EXT JS library for this and I achiev…
Hi. There are several upload tutorials using jquery and coldfusion. I found a very interesting one here Upload Your Files using Jquery & ColdFusion and Preview them (http://www.randhawaworld.com/) . I did keep the main js functions but made sever…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now