cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

How to secure login area better?

Guest
Sep 26, 2012 Sep 26, 2012

I made my first "login area" control panel and set it up to allow certain people to view only what they are allowed, but about half way through the coding i realized that i have a BIG security issue. I was using a url variable to go from page to page, for example:

<a href="../user/user_list.cfm?Person=#qLogin.UserID#">User List</a>

The application works fine, but when I changed the number of the "person" in the URL from 2 to lets say 10 it would show person 10s information. I have been looking around for a solution, but haven't really found anything that i found useful. Here is the code i use to login to the control panel. So I need to make sure only that certain person is on the appropriate page and that they won't be able to change the person number at all.

( Application.cfc )

<cfcomponent>

    <!--- Any variables set here can be used by all our pages --->

           <cfset this.name="MyWebsite">

           <cfset this.clientmanagement="false">

           <cfset this.sessionmanagement="true">

           <cfset this.sessiontimeout=#CreateTimeSpan(0,0,20,0)#>

           <cfset this.loginstorage="Session">

           <cfset this.setClientCookies="true">

    <!---cferror type="Exception" template="errormessage.cfm"

           mailto="memmar@telus.net"--->

  <cffunction name="onRequestStart">

    <cfset APPLICATION.dataSource = "myDB">

    <cflogin>

      <cfif IsDefined("FORM.Login_btn")>

        <cfquery name="qLogin" datasource="#APPLICATION.dataSource#">

        SELECT UserEmail, UserPassword, UserRoleID, UserID

        FROM UsersAccess

        WHERE UserEmail = <cfqueryparam value="#cflogin.Name#" cfsqltype="cf_sql_varchar">

        AND UserPassword = <cfqueryparam value="#cflogin.Password#" cfsqltype="cf_sql_varchar">

        </cfquery>

        <cfif cflogin.name IS "#qLogin.UserEmail#" AND cflogin.password IS "#qLogin.UserPassword#">

          <cfloginuser name="#cflogin.name#"

                       password="#cflogin.password#"

                       roles="#qLogin.UserRoleID#">

        <cfelse>

        <!--- Redirects if the login information is incorrect --->

          <cflocation url="../signup/index.cfm?LoginError" addtoken="no">

            <cfabort />   

        </cfif>

      <cfelse>

        <cflocation url="../index.cfm" addtoken="no">

          <cfabort />

      </cfif>

    </cflogin>

  </cffunction>

 

 

 

</cfcomponent>

860
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 5 Replies 5
latest latest Jump to latest reply
Carl Von Stetten
Guide ,
Sep 26, 2012 Sep 26, 2012

cf_junkie,

Since you have sessionmanagement=true, you have enabled user sessions.  This means you can utilize the session scope.  Put your user's ID in the session scope (e.g.: session.UserID) when they log in.  As long as the session remains active (20 minutes is what you set your session timeout to, so as long as the user moves to another page within 20 minutes their session stays active), the UserID variable will remain in the session scope.  Now you don't need to pass any URL parameters just to maintain the user's identity.  Let ColdFusion do the "heavy lifting" on this for you.

-Carl V.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Sep 26, 2012 Sep 26, 2012
In Response To Carl Von Stetten

Thanks for the response. I will give it a try. I will post the outcome

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
WolfShade
LEGEND ,
Sep 27, 2012 Sep 27, 2012
In Response To Deleted User

I agree with Carl.  Session variables are the best (IMHO) way to maintain the user id from page to page.  If, however, timing out after 20 minutes becomes an issue, you can always encrypt the ID and save it to a cookie.

^_^

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Sep 27, 2012 Sep 27, 2012
In Response To WolfShade

How would i go about doing that? The "encrypt the ID and save it to a cookie" part. I'm really new to all this.

----- New topic -----

I have a few cfselect form fields and the validation don't work like the cfinputs, any idea why or how to fix it.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adam Cameron.
LEGEND ,
Sep 27, 2012 Sep 27, 2012
LATEST
In Response To Deleted User

----- New topic -----

I have a few cfselect form fields and the validation don't work like the cfinputs, any idea why or how to fix it.

Don't hijack threads, even if it's a thread you started.

Start a new one.

--

Adam

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices