How to automatically login a user after the account is provisioned

Report · Dec 03, 2011

My application uses cflogin and a loginform.cfm as is often shown for authenticating the user. I have a form where a new user can register and create an account. After I create the account, I want the user to already be authenticated and able to use the application. However, I can't find a way to get this to happen. The new user is brought to the loginform and asked to enter the username and password. How can I bypass this step?

Report · Dec 04, 2011

I'll assume you log users in using cflogin and cfloginuser.Then getAuthUser() will contain the user's username. If the user is not logged in, getAuthUser() will return an empty string.

You could therefore use getAuthUser() to prevent ColdFusion from sending a logged-in user to the login form. However, that isn't neat. It in fact suggests your design should be improved.

If you did indeed implement cflogin and cfloginuser the recommended way, then ColdFusion will bypass the cflogin tag when a user is logged in. To implement that part correctly, find the code that sends a user to the login form and place it within the context of the cflogin tag. Also, I would set the loginStorage attribute to "session". That will ensure that the login persists for the duration of the session, while the user navigates from one page to the next.

You did enforce login for a reason. So I'll assume that there are certain pages or parts of your application that you wish to expose only to users who have logged in. For those pages or parts, you could do something like

</cfif>

In Response To BKBK · Dec 12, 2011

The problem is that the user is not logged in because he's a new user. getAuthUser returns an empty string. The new user goes to a form to sign up for an account and enters new user name and password. I save that in the database. At this point the user is still NOT logged in but I have his username and password.

Now I could just take the new user to the login screen and have him reenter the username and password and he would be logged in. But this seem like an extra step. I want to call the cflogin functions and log the user in WITHOUT going to the login screen and WITHOUT him reentering his username and password. I want to use the data that he used to create the account to log him in behind the scenes. But I can figure out how to do that.

In Response To wilsonwf1 · Dec 13, 2011

wilsonwf1 wrote:
The problem is that the user is not logged in because he's a new user. getAuthUser returns an empty string. The new user goes to a form to sign up for an account and enters new user name and password. I save that in the database.

I wouldn't save the information in the database just yet. Not before validating it.

You should do some validation (a check if the username and password meet your requirements) on the action page of the sign-up form. Here are some common requirements:

- username must be longer than 3 characters and shorter than 11

- username for new user may not already occur in the database

- password must only contain alphanumeric characters

- password must be longer than 5 characters and shorter than 11

- neither username nor password may contain <tags>

Naturally, the more secure you wish your site to be, the stricter and more elaborate your requirements should be.

The validation is usually done by means of a function. For example, you simply call the function, passing it the username, password and other user-relevant information. It returns you a struct that contains a status(whether validation successful or not) and a message(where validation failed, for example, the reason why).

If the validation fails, take the user back to the sign-up page. Also, let him know he isn't yet logged in, and the reason.

If the validation succeeds, then do something like this:

insert into user_table ... etc

</cfquery>

</cflogin>

That's all there is to it. The user is now logged in. GetAuthUser will return the user's logged-in name. You should now take user to a page that lets him know he is logged in.

Notice that the code for logging in a returning user is the same as above. The only difference is that you wont have to insert his details again to the database.

I would also suggest you use the setting this.loginStorage="session" (in Application.cfc) or <cfapplication loginStorage="session"> (in Application.cfm). Then, ColdFusion will skip the cflogin tag, and getAuthUser will return the username, for the duration of the session.

[edit: Included more comments in cflogin tag.]

In Response To wilsonwf1 · Dec 13, 2011

What type of authentication are you telling cflogin to use? Are you authenticating against the Windows active directory (NTauthentication)? When you talk about the login form popping up after the user is first setup, are you talking about the Windows domain login form or your own login form wanting to interact with the user to get his credentials?

-reed

In Response To Reed_Powell-ttnmOb · Dec 13, 2011

I am authenticating against the account and password tables in the application database. During normal operation, I present a loginform.cfm where an existing user enters username and password in text input: <input type="text" name="j_username"> and <input type="password"name="j_password">.

I send this information to a module dbSecurity.cfc where I use a function <cffunction access="public" name="authenticateUser" output="false" returntype="boolean" hint="authenticates a user against the db with a username and password"> to authenticate the user returning true or false.

This all works okay. The only thing I'm trying to do is bypass this step immediately after the user registers for a new account. I don't want the user to have to reenter his username and password after he creates a new account. I want to log him in behind the scenes and then take him right to the application. I can't figure out how to simulate the login function that happens with the loginform.cfm without actually going to the loginform.

In Response To wilsonwf1 · Dec 13, 2011

Let's say your login form is submitted to loginAction.cfm.

On the page where you create the account, after the code that creates the account, add some code that submits form data to loginAction.cfm. You can do this with cfhttp or javascript.

In Response To wilsonwf1 · Dec 13, 2011

wilsonwf1 wrote:
I am authenticating against the account and password tables in the application database. During normal operation, I present a loginform.cfm where an existing user enters username and password in text input: <input type="text" name="j_username"> and <input type="password"name="j_password">.
I send this information to a module dbSecurity.cfc where I use a function <cffunction access="public" name="authenticateUser" output="false" returntype="boolean" hint="authenticates a user against the db with a username and password"> to authenticate the user returning true or false.
This all works okay. The only thing I'm trying to do is bypass this step immediately after the user registers for a new account. I don't want the user to have to reenter his username and password after he creates a new account. I want to log him in behind the scenes and then take him right to the application. I can't figure out how to simulate the login function that happens with the loginform.cfm without actually going to the loginform.

It's all there in my previous answer, including the keyword "bypass". In short:

- Implement loginStorage="session"

- Place all the code that checks whether the user is new or authenticated, and the code that sends him to the login/sign-up page, within the cflogin tag.

If the user was logged in by means of cflogin and cfloginuser, as explained above, ColdFusion would bypass the cflogin tag.