Skip to main content
N
ncsuois
Participant
November 30, 2009
Question

CFAbort Clears CFLogin credentials

  • November 30, 2009
  • 3 replies
  • 813 views

I am trying to implement a page security system using CFLogin to track user roles.  When a page is being served that is not authorized for the given role, I show a not authorized page and do a CFAbort to stop the rest of the page from rendering.  However, after the CFAbort, the user's CFLogin credentials are lost force them to relog back in.  Is there a method that doesn't require a relogin action?

This topic has been closed for replies.

3 replies

N
ncsuoisAuthor
Participant
December 1, 2009

Thanks guys for the help.  It made me look over the logic and see the order in which I placed the abort was incorrect.  thanks again.

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
December 1, 2009

No eyes see it clearer than yours. Good luck.

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
November 30, 2009
When a page is being served that is not authorized for the given role, I show a not authorized page and do a CFAbort to stop the rest of the page from rendering.

How do you check, and how do you show the not authorized page?

N
ncsuoisAuthor
Participant
December 1, 2009

If is wasn't clear in my last post, I read a security configuration file and get the directory being served along with roles allowed.  If the user is in the roles allowed, they can access otherwise, I do a cfinclude of a not authorized page and a cfabort.

C
ctreeves
Inspiring
November 30, 2009

Hi,

Depending on the site setup, CFABORT might not be the best choice.

For instance, if you have the header and footer called on each page, the the CFABORT might prevent the footer from rendering the page whole page.

Since you are checking for permissions on the page anyhow, how about a simple redirect to a different page if they don't have permission?

N
ncsuoisAuthor
Participant
December 1, 2009

A simple redirect would work, but how would I go about doing that so the currently requested page doesn't get served.

My security logic is in my Application.cfc and I determine if the user is allowed to access page.  If not, I could do a redirect to a not authorized page but I need to stop the execution of the rest of the page from loading.

I have also implemented a custom security model.  (It didn't seem like coldfusion had a role based directory security model similar to the role provider in ASP.Net)  I serve pages based user roles and directory configurations.

PS.  sorry for any knowledge gaps as I am fairly new to coldfusion.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices