0 Replies - 1256 Views - Last Post: 30 July 2008 - 06:32 AM Rate Topic: -----

#1 wblakenc  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 6
  • Joined: 17-July 08

Application Security problems

Post icon  Posted 30 July 2008 - 06:32 AM

Ok it seems as my copy of CF8 should have been updated to fix this problem but here is what it is doing. I attempt to login using a valid user name and password and I get an error that my form entry is undefined or something about null pointers. On the CF error page it shows the code that checks what the user types in against the db for authentication. The problem is it does not do this every time. I have had my co-workers attempt to log in and out using various different user names and passwords and they do not get the error, but I do. So I am wondering if it has something to do with my browser because I am constantly updating the page and refreshing the browser window which could be causing a problem.

I am not sure if I am describing this problem correctly but below is my code let me know if you see anything that might cause a null pointer or undefined variable in the FORM field.

<cfcomponent output="false">

<cfset this.name="MyPrintelect">
<cfset this.sessionManagement = true>
<cffunction name="onApplicationstart" output="false" returntype="void">
	<cfset APPLICATION.datasource = "WorkFlow">
	<cfset APPLICATION.companyName = "Printelect">

<cffunction name="onRequestStart" output="false" returntype="void">
<cfif not isDefined ("SESSION.auth.isLoggedIn")>
	<cfif isDefined("FORM.UserName")>
		<cfinclude template="LoginCheck.cfm">
<cfinclude template="loginForm.cfm"><cfabort>

login form
<cfsetting enablecfoutputonly="no">
<!doctype html public "-//w3c//dtd html 4.01 transitional//en">

<!--- <cfif isDefined("FORM.UserName")>
	<cfinclude template="LoginCheck.cfm">
</cfif>  --->

<p>Please enter your login information:</p>
<!---#### If the user submits a bad login, display a friendly message ####--->
<cfif IsDefined('REQUEST.badlogin')><span style="color: red">Your login information was invalid!</span></cfif>
<!---#### Use cfform to provide client-side javascript validation on the user name form field. ####--->
<cfform action="LoginCheck.cfm" name="loginForm" method="post">
<table border="0">
	<td>User Name:</td>
	<td><cfinput type="text" name="UserName" message="You must enter a user name!" required="yes"></td>
	  <span class="style1">Case Sensitive</span></td>
	<td><cfinput type="password" name="UserPassword" message="You must enter a password!" required="yes"></td>
	<td> </td>
	<td><input type="reset"> | <input type="submit" name="logon" value="Login"></td>

Login check:
<!--- Make sure we have Login name and Password--->  
<cfparam name="FORM.UserName" type="string">
<cfparam name="FORM.UserPassword" type="string">

<!--- Find record with this Username/Password --->
<!--- If no rows returned, password not valid --->
<cfquery name="getUser" datasource="Users">
 SELECT aUser, pword, role, nickname, first_login, proofer_fields, coder_fields
 FROM login
 WHERE aUser LIKE '#FORM.UserName#'
 AND pword LIKE '#FORM.UserPassword#'

<!--- If the username and password are correct --->

<cfif getUser.recordCount eq 1>

 <!--- Remember users logged-in status--->

 <cflock timeout=20 scope="Session" type="exclusive">
	 <cfoutput query="getUser">
	 <cfset SESSION.auth = structNew()>	 
	 <cfloginuser name="#aUser#" password="#pword#" roles="#role#">
	 <cfset SESSION.auth.isLoggedIn = "Yes">
 <!--- Now that user is logged in, send them --->
 <!--- to whatever page makes sense to start --->
 <cflocation url="index.cfm">
	<cfset REQUEST.badlogin = "true">
	<cfinclude template="loginForm.cfm"><cfabort>

To me it is pretty straight forward, and I do not see why the error occurs. What is more confusing is it does not have an error every time, only "sometimes" and seems to be only on my computer. At least it seems to happen to me more than anyone else.

Is there a workaround? An idea?

While typing this out I had a user logged in using another browser, I came back to that browser after submitting the above post. I logged out to check to see if I would get the error when I logged back using a different user name/password. I did. Below is the full error message:

The system has attempted to use an undefined value, which usually indicates a programming error, either in your code or some system code. 
Null Pointers are another name for undefined values.  
The error occurred in /var/www/html/***********/LoginCheck.cfm: line 22
20 :  FROM login
21 :  WHERE aUser LIKE '#FORM.UserName#'
22 :  AND pword LIKE '#FORM.UserPassword#'
23 : </cfquery>
24 : 

Below is the code I use to log users out:
<cflock timeout=20 scope="Session" type="exclusive">

   <cfset StructDelete(Session, "auth")>
   <cfset StructDelete(Session, "sessionid")>
   <cfset StructDelete(Session, "urltoken")>
   <cflocation url="index.cfm"><cfabort>

Could this be the cause of all my problems??????

This post has been edited by wblakenc: 30 July 2008 - 06:37 AM

Is This A Good Question/Topic? 0
  • +

Page 1 of 1