Authenticating All Pages

Forum|Forum|17 years ago
February 9, 2009
7 replies
358 views

Hi,

I am trying to make a website that will have a login page and then go to a page where you can download an application. I need this download page to be secure (ie, so you can't type in the url and download.) I was thinking the best way to do that is to have a variable passed from page to page. I want to find out, first of all, if that's the best way to do it, and secondly, how to do it.

I appreciate any help!

Amy

This topic has been closed for replies.

N

Newsgroup_User

Inspiring

AmyEverAfter wrote:
>
> Does this make sense? Is this enough to secure the application?
>

Only you can answer that. It is your application.

What you are considering is the difference between an authenticated user
and an authorized user.

An authenticated user is somebody who you are reasonably sure has
identified themselves and you know who they are. This is usually done
with a user providing a user name and a password previously recorded.
This can go far beyond that to finger prints, voice recognition and
retinal scans; but one doesn't often see that in web applications.

An authorized user is an user who you are reasonably sure has identified
themselves and you know what they are authorized to do. This is usually
done with rolls and|or groups where you want one set of users to be able
to do one thing and another set to do another.

So do you just need to know who the user is? Or do you also need to
know that some can do this and others can not? If the former then
authentication is probably sufficient, if the latter you will need a
more sophisticated authorization system.

HTH
Ian

A

AmyEverAfterAuthor

Known Participant

Actually I am rethinking using IsUserInRole because out of nine various user types, only one has an important user-specific function (ie, downloading the application.) So perhaps it would be okay to use an if statement?

if user = x, then whatever
if user does not = x, then whatever

Does this make sense? Is this enough to secure the application?

N

Newsgroup_User

Inspiring

AmyEverAfter wrote:
> Okay, this is what I have. It's giving me an error but I'm not really sure
> what I am doing so I'm not sure how to go about fixing it. Is the syntax
> correct? Am I using IsUserInRole correctly?

What is the error? That is always helpful when asking for help, ya
know, what you actually need help with.

>
> <cfloop query="getRole">
> <cfif IsUserInRole("Administrator") >
> <cfoutput>blah blah</cfoutput>
> <cfelse IsUserInRole("Viewonly")>
> <cfoutput>blah x</cfoutput>
> </cfif></cfloop>
>

Some mighty strange code here but for a first trial to learn something I
won't quibble.

In the code fragment provided I do not see any query named "getRole".

First, I wonder if you wanted to be looping over a query here.

Secondly, If you do, I wonder if you meant to loop over the 'qryRole'
query from earlier in the code.

A

AmyEverAfterAuthor

Known Participant

Okay, this is what I have. It's giving me an error but I'm not really sure what I am doing so I'm not sure how to go about fixing it. Is the syntax correct? Am I using IsUserInRole correctly?

<cfif Len(trim(Username)) IS 0>
<font face="Arial, Helvetica, sans-serif" size="-1" color="#990000" >
Error: Username is required.
<cfabort></cfif>

<cfif Len(trim(userpassword)) is 0>
<font face="Arial, Helvetica, sans-serif" size="-1" color="#990000">Error: Password is required.
<cfabort>
</cfif>

<cfquery datasource="datasource" name="qryLogin">
SELECT *
FROM tablename
WHERE username = '#form.username#' and userpassword= '#form.userpassword#'
</cfquery>

<cfif qryLogin.recordCount gt 0>
<font face="Arial, Helvetica, sans-serif" size="-1">Login successful. Welcome <cfoutput>
#username#. </cfoutput>
<cfelse>

<font face="Arial, Helvetica, sans-serif" size="-1" color="#990000">That record does not exist. Please try again.
<cfinclude template="login_form.cfm">
</cfif>

<cfquery datasource="mydatasource" name="qryRole">
Select userrole
From userrole
WHERE userrole = "#qryLogin.username AND qryRole.userrole#>
</cfquery>

<cflogin>
<cfloginuser name = "#qryLogin.username#"
password="#qryLogin.userpassword#"
roles="#ValueList (qry.userrole)#" >
</cflogin>

<cfloop query="getRole">
<cfif IsUserInRole("Administrator") >
<cfoutput>blah blah</cfoutput>
<cfelse IsUserInRole("Viewonly")>
<cfoutput>blah x</cfoutput>
</cfif></cfloop>

N

Newsgroup_User

Inspiring

AmyEverAfter wrote:
> I'm new to CF so I don't really know about those things yet - so any more advice (perhaps a bit simpler)?

Being unwilling to re-write the wheel. I'll point you to a great
resource for this who are new to CF and don't really know these things
yet, the documentation.

ColdFusion Developer's Guide
Securing Applications
http://livedocs.adobe.com/coldfusion/8/htmldocs/appSecurity_01.html

A

AmyEverAfterAuthor

Known Participant

I'm new to CF so I don't really know about those things yet - so any more advice (perhaps a bit simpler)?

N

Newsgroup_User

Inspiring

AmyEverAfter wrote:
> I was thinking the
> best way to do that is to have a variable passed from page to page. I want to
> find out, first of all, if that's the best way to do it

NO!

, and secondly, how to
> do it.
>

Read up on Application.cfc, the OnRequestStart method|event handler,
shared variable scopes and login Frameworks.

This is a common, well documented and discussed requirement. But it is
also complex and can be handled many ways depending on various needs of
each application. Which makes it difficult to answer such a general
question in a peer support forum such as this.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded