[SleepingInChapel]

Is there a better way to add exceptions to a secure application so users do not have to log in before they access certain pages? I'm actually using CGI properties right now to accomplish this, and if possible I'd rather have a native ColdFusion way to do it.

Here's what I currently have in Application.cfm:

<!--- right() starts reading a substring from the right side of the URL. --->

<CFIF NOT (right(CGI.SCRIPT_NAME, 10) EQ "/login.cfm" OR right(CGI.SCRIPT_NAME, 13) EQ "/login_do.cfm" OR right(CGI.SCRIPT_NAME, 16) EQ "/GeneralView.cfm" OR right(CGI.SCRIPT_NAME, 11) EQ "/logout.cfm")>

It's getting kind of messy because there are several more pages I need to add as exceptions.

[f150b0508]

SleepingInChapel, on 5 Jan, 2009 - 08:24 AM, said:

Is there a better way to add exceptions to a secure application so users do not have to log in before they access certain pages? I'm actually using CGI properties right now to accomplish this, and if possible I'd rather have a native ColdFusion way to do it.

Here's what I currently have in Application.cfm:

<!--- right() starts reading a substring from the right side of the URL. --->

<CFIF NOT (right(CGI.SCRIPT_NAME, 10) EQ "/login.cfm" OR right(CGI.SCRIPT_NAME, 13) EQ "/login_do.cfm" OR right(CGI.SCRIPT_NAME, 16) EQ "/GeneralView.cfm" OR right(CGI.SCRIPT_NAME, 11) EQ "/logout.cfm")>

It's getting kind of messy because there are several more pages I need to add as exceptions.

I use a few custom coded pages to check a login or not and keep the user logged in. Feel free to use it, it works great for me! If you want a page to be password protected you simply add this code at the top of the page <cf_gatekeeper>. I usually always use a database that has the fields login, password. That way I never change the code below except for the datasource and table name in the authenticate.cfm and Application.cfm file.

Here are the page names and the code that goes along with it.

Application.cfm

<!--- Application Settings --->
<cfapplication name="Your name here" 
sessionmanagement="yes" 
SESSIONTIMEOUT="#CreateTimeSpan(0, 0, 30, 0)#" 
setclientcookies="Yes">

<!--- Application Variables --->
<cfparam name="application.ds" default="datasourcename">

<!--- Look / Feel Configuration --->		
<cfparam name="application.textFieldSize" default="25">
<cfparam name="application.textMaxLength" default="25">

<!--- Special Case Variables --->
<cfparam name="application.passwordLength" default="6">

authenticate.cfm

<cftry>
 
 <cfif isdefined("attributes.login") AND isdefined("attributes.password")>

	<cfquery name="qGetUser" datasource="yourdb">
		select login from passwords
		where login 	= '#attributes.login#'
		and password 	= '#attributes.password#'
	</cfquery>



	<cfif qGetUser.recordcount eq 1>
	
		<cfset session.login = "true">
		<cfset session.user.name = qGetUser.login>
		<cfset caller.cf_authenticate = "success">
	

	<cfelse>
		<cfset caller.cf_authenticate = "failure">
	</cfif>
 <cfelse>
 	<cfset caller.cf_authenticate = "failure">
 </cfif>
 
 <cfcatch type="any">
 	<cfset caller.cf_authenticate = "failure">
 </cfcatch>
 </cftry>

gatekeeper.cfm

<cfif isdefined("session.login")>
	<cfif session.login neq "true">
		<cf_keymaster>
		<cfabort>
	</cfif>
<cfelse>
	<cf_keymaster>
	<cfabort>
</cfif>

keymaster.cfm

<cfif isdefined("form.keymaster")>
	<cfif form.keymaster eq "authenticate">
		<cfif isdefined("form.login") AND isdefined("form.password")>
			<cf_authenticate login="#form.login#" password="#form.password#">
			<cfif cf_authenticate eq "success">
				<cfinclude template="#getFileFromPath(cgi.script_name)#">
			<cfelseif cf_authenticate EQ "failure">
<cfoutput>
<font face="times,new roman" size="3"><center><strong>Admin</strong></center></font>
<form action="#getFileFromPath(cgi.script_name)#" method="POST">
<br><br><br><table align="center" cellpadding="2" cellspacing="0" border="0">
 <tr>
  <td align="center" valign="middle" colspan="2">
   <font face="verdana, arial" size="2" color="red"><strong>Invalid username or password</strong></font></td>
 </tr>
 <tr>
  <td align="left" valign="middle">
   <font face="verdana, arial" size="1" color="##000000"><strong>Username:</strong></font></td>
  <td align="right" valign="middle">
   <input type="text" value="#form.login#" name="login" size="#application.textFieldSize#" maxlength="#application.textMaxLength#"></td>
 </tr>
 <tr>
  <td align="left" valign="middle">
   <font face="verdana, arial" size="1" color="##000000"><strong>Password:</strong></font></td>
  <td align="right" valign="middle">
   <input type="password" name="password" size="#application.textFieldSize#" maxlength="#application.textMaxLength#"></td>
 </tr>
 <tr>
  <td><font face="verdana, arial" size="1" color="##000000"><strong> </strong></font></td>
  <td align="center" valign="middle">
   <input type="hidden" name="keymaster" value="authenticate">
   <input type="submit" value="	 Log in	 "></td>
 </tr>
</table>	
</form>
</cfoutput>
			</cfif>
		</cfif>
	</cfif>
<cfelse>
<cfoutput>
<font face="times,new roman" size="3"><center><strong>Admin</strong></center></font>
<form action="#getFileFromPath(cgi.script_name)#" method="POST">
<br><br><br><table align="center" cellpadding="2" cellspacing="0" border="0">

 <tr>
  <td align="left" valign="middle">
   <font face="verdana, arial" size="1" color="##000000"><strong>Username:</strong></font></td>
  <td align="right" valign="middle">
   <input type="text" name="login" size="#application.textFieldSize#" maxlength="#application.textMaxLength#"></td>
 </tr>
 <tr>
  <td align="left" valign="middle">
   <font face="verdana, arial" size="1" color="##000000"><strong>Password:</strong></font></td>
  <td align="right" valign="middle">
   <input type="password" name="password" size="#application.textFieldSize#" maxlength="#application.textMaxLength#"></td>
 </tr>
 <tr>
  <td><font face="verdana, arial" size="1" color="##000000"><strong> </strong></font></td>
  <td align="center" valign="middle">
   <input type="hidden" name="keymaster" value="authenticate">
   <input type="submit" value="	 Log in	 "></td>
 </tr>
</table>	
</form>
</cfoutput>
</cfif>

Just create those pages and put them into the folder containing the files you want to password protect. Then add <cf_gatekeeper> to the very top of pages you want protected. If you don't need a page protected don't add the <cf_gatekeeper> Let me know if that helps you, or if you have any questions.

This post has been edited by f150b0508: 15 January 2009 - 07:47 AM

[Craig328]

Well, without getting specific, may I ask what version of CF are you running your code against? If it's a more recent edition you can use Application.cfc instead of Application.cfm.

Application.cfc has a number of advantages over .cfm and one of those is the use of the onRequest method. You could do your entire login check versus certain pages there before the requested page is even executed. It's a very handy addition to CFML and I can't imagine working on a CF app these days using application.cfm.

Try this URL (Adobe CFMX7 Docs) to give you a quick guide on how to use the CFC.

Good luck!

[SleepingInChapel]

I'm using ColdFusion 8 and frankly, I've never heard of Application.cfc before. Thanks, I'll take a look.