Adobe ColdFusion 8

Modifying the login code for your application

The Login Wizard creates a basic framework for authenticating a user. You must customize this framework to meet your application's needs. Typical security-related changes include the following:

  • Providing user-specific role information in the cflogin tag
  • Authenticating users against a database

Providing user-specific role information

The Login Wizard sets all users in a single role. In mm_wizard_authenticate.cfc, the performlogin method is hard-coded to set the role to "user." The authentication routines handle roles differently. (For the details, see the mm_wizard_authenticate.cfc code.) If your application uses roles for authorization, you must change the authentication method to get and return valid role information, and change the performlogin method to use the information in the roles attribute of its cfloginuser tag.

Authenticating users against a database

If you use a database to maintain user IDs and passwords, you can create your login framework by specifying simple authentication, and modify the code to use the database. The following instructions describe a simple way to change the code to use a database. They do not include all the cleanup work (particularly, removing the hard-coded user name and password), that you should do for a well-formatted application.

Replace the following code:

<cfif sUserName eq uUserName AND sPassword eq uPassword>
    <cfset retargs.authenticated="YES">
<cfelse>
    <cfset retargs.authenticated="NO">
</cfif>
<cfreturn retargs>

With code similar to the following:

<cfquery name="loginQuery" dataSource="#Application.DB#" >
    SELECT *
    FROM Users
    WHERE UserName = <cfqueryparam value="#uUserName#" CFSEQLType=
        'CF_SQL_VARCHAR'AND password = <cfqueryparam value="#uPassword#"
        CFSEQLType='CF_SQL_VARCHAR'>
</cfquery>

<cfif loginQuery.recordcount gt 0>
    <cfset retargs.authenticated="YES">
    <cfset retargs.roles=loginQuery.roles>
<cfelse>
    <cfset retargs.authenticated="NO">
</cfif>
<cfreturn retargs>

Web server-based authentication user security example

The example in this section shows how you might implement user security using web-server-based basic authentication and two roles, user and administrator.

This example has two ColdFusion pages:

  1. The Application.cfc page logs the user into the ColdFusion security system and assigns the user to specific roles based on the user's ID.

    This page also includes the one-button form and logic for logging out a user, which appears at the top of each page.

  2. The securitytest.cfm page is a sample application page. It displays the logged-in user's roles.

This simple example does not provide a user log-out interface. You can test the security behavior by adding your own pages to the same directory as the Application.cfc page.