Skip to main content
A
Anonymous
September 26, 2012
Question

How to secure login area better?

  • September 26, 2012
  • 1 reply
  • 974 views

I made my first "login area" control panel and set it up to allow certain people to view only what they are allowed, but about half way through the coding i realized that i have a BIG security issue. I was using a url variable to go from page to page, for example:

<a href="../user/user_list.cfm?Person=#qLogin.UserID#">User List</a>

The application works fine, but when I changed the number of the "person" in the URL from 2 to lets say 10 it would show person 10s information. I have been looking around for a solution, but haven't really found anything that i found useful. Here is the code i use to login to the control panel. So I need to make sure only that certain person is on the appropriate page and that they won't be able to change the person number at all.

( Application.cfc )

<cfcomponent>

    <!--- Any variables set here can be used by all our pages --->

           <cfset this.name="MyWebsite">

           <cfset this.clientmanagement="false">

           <cfset this.sessionmanagement="true">

           <cfset this.sessiontimeout=#CreateTimeSpan(0,0,20,0)#>

           <cfset this.loginstorage="Session">

           <cfset this.setClientCookies="true">

    <!---cferror type="Exception" template="errormessage.cfm"

           mailto="memmar@telus.net"--->

  <cffunction name="onRequestStart">

    <cfset APPLICATION.dataSource = "myDB">

    <cflogin>

      <cfif IsDefined("FORM.Login_btn")>

        <cfquery name="qLogin" datasource="#APPLICATION.dataSource#">

        SELECT UserEmail, UserPassword, UserRoleID, UserID

        FROM UsersAccess

        WHERE UserEmail = <cfqueryparam value="#cflogin.Name#" cfsqltype="cf_sql_varchar">

        AND UserPassword = <cfqueryparam value="#cflogin.Password#" cfsqltype="cf_sql_varchar">

        </cfquery>

        <cfif cflogin.name IS "#qLogin.UserEmail#" AND cflogin.password IS "#qLogin.UserPassword#">

          <cfloginuser name="#cflogin.name#"

                       password="#cflogin.password#"

                       roles="#qLogin.UserRoleID#">

        <cfelse>

        <!--- Redirects if the login information is incorrect --->

          <cflocation url="../signup/index.cfm?LoginError" addtoken="no">

            <cfabort />   

        </cfif>

      <cfelse>

        <cflocation url="../index.cfm" addtoken="no">

          <cfabort />

      </cfif>

    </cflogin>

  </cffunction>

 

 

 

</cfcomponent>

    This topic has been closed for replies.

    1 reply

    Carl Von Stetten
    Carl Von Stetten
    Legend
    September 26, 2012

    cf_junkie,

    Since you have sessionmanagement=true, you have enabled user sessions.  This means you can utilize the session scope.  Put your user's ID in the session scope (e.g.: session.UserID) when they log in.  As long as the session remains active (20 minutes is what you set your session timeout to, so as long as the user moves to another page within 20 minutes their session stays active), the UserID variable will remain in the session scope.  Now you don't need to pass any URL parameters just to maintain the user's identity.  Let ColdFusion do the "heavy lifting" on this for you.

    -Carl V.

    A
    Anonymous
    September 26, 2012

    Thanks for the response. I will give it a try. I will post the outcome

    WolfShade
    WolfShade
    Legend
    September 27, 2012

    I agree with Carl.  Session variables are the best (IMHO) way to maintain the user id from page to page.  If, however, timing out after 20 minutes becomes an issue, you can always encrypt the ID and save it to a cookie.

    ^_^

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices