CFlogin question

Report · Dec 31, 2008

If I'm using CFlogin to create a little login area for users, how can I
verify that the info that users enter for username and password (mainly
password) matches what's in the db table for that user?

Is that built into CFlogin or do I have to write the code that checks the
info entered matches what's in the db? If so, what's the benefit to having
a CFlogin?? Not trying to be snotty here, just wondering

Report · Jan 01, 2009

Hi---

You have to enter code yourself.

Here is an example from the ColdFusion Developer's Guide (all of the examples can be found in the ColdFusion Developers Guide under Securing Applications/Implementing User Security/Application-based user security example):

<cfcomponent>
<cfset This.name = "Orders">
<cfset This.Sessionmanagement="True">
<cfset This.loginstorage="session">

<cffunction name="OnRequestStart">
<cfargument name = "request" required="true"/>
<cfif IsDefined("Form.logout")>
<cflogout>
</cfif>

<cflogin>
<cfif NOT IsDefined("cflogin")>
<cfinclude template="loginform.cfm">
<cfabort>
<cfelse>
<cfif cflogin.name IS "" OR cflogin.password IS "">
<cfoutput>
<h2>You must enter text in both the User Name and Password fields.
</h2>
</cfoutput>
<cfinclude template="loginform.cfm">
<cfabort>
<cfelse>
<cfquery name="loginQuery" dataSource="cfdocexamples">
SELECT UserID, Roles
FROM LoginInfo
WHERE
UserID = '#cflogin.name#'
AND Password = '#cflogin.password#'
</cfquery>
<cfif loginQuery.Roles NEQ "">
<cfloginuser name="#cflogin.name#" Password = "#cflogin.password#"
roles="#loginQuery.Roles#">
<cfelse>
<cfoutput>
<H2>Your login information is not valid.<br>
Please Try again</H2>
</cfoutput>
<cfinclude template="loginform.cfm">
<cfabort>
</cfif>
</cfif>
</cfif>
</cflogin>

<cfif GetAuthUser() NEQ "">
<cfoutput>
<form action="securitytest.cfm" method="Post">
<input type="submit" Name="Logout" value="Logout">
</form>
</cfoutput>
</cfif>

</cffunction>
</cfcomponent>

That code is placed into an Application.cfc file, which executes before every page that is accessed.

The advantage that I perceive from using cflogin is the role based access controls. If you look at the securitytest.cfm file...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Security test page</title>
</head>

<body>
<cfoutput>
<h2>Welcome #GetAuthUser()#!</h2>
</cfoutput>

ALL Logged-in Users see this message.<br>
<br>
<cfscript>
if (IsUserInRole("Human Resources"))
WriteOutput("Human Resources members see this message.<br><br>");
if (IsUserInRole("Documentation"))
WriteOutput("Documentation members see this message.<br><br>");
if (IsUserInRole("Sales"))
WriteOutput("Sales members see this message.<br><br>");
if (IsUserInRole("Manager"))
WriteOutput("Managers see this message.<br><br>");
if (IsUserInRole("Employee"))
WriteOutput("Employees see this message.<br><br>");
if (IsUserInRole("Contractor"))
WriteOutput("Contractors see this message.<br><br>");
</cfscript>

</body>
</html>

...you can see that using a simple command, you can check to see if a user is in a specific role and output unique content to members of different roles without executing a query every time a page is loaded (at least this is my understanding). I believe that would relieve load on the database.

Hope this helps!