The Login Wizard creates a basic framework for authenticating a user. You must customize this framework to meet your application's needs. Typical security-related changes include the following:
Providing user-specific role information
The Login Wizard sets all users in a single role. In mm_wizard_authenticate.cfc, the performlogin method is hard-coded to set the role to "user." The authentication routines handle roles differently. (For the details, see the mm_wizard_authenticate.cfc code.) If your application uses roles for authorization, you must change the authentication method to get and return valid role information, and change the performlogin method to use the information in the roles attribute of its cfloginuser tag.
Authenticating users against a database
If you use a database to maintain user IDs and passwords, you can create your login framework by specifying simple authentication, and modify the code to use the database. The following instructions describe a simple way to change the code to use a database. They do not include all the cleanup work (particularly, removing the hard-coded user name and password), that you should do for a well-formatted application.
Replace the following code:
<cfif sUserName eq uUserName AND sPassword eq uPassword> <cfset retargs.authenticated="YES"> <cfelse> <cfset retargs.authenticated="NO"> </cfif> <cfreturn retargs>
With code similar to the following:
<cfquery name="loginQuery" dataSource="#Application.DB#" > SELECT * FROM Users WHERE UserName = <cfqueryparam value="#uUserName#" CFSEQLType= 'CF_SQL_VARCHAR'AND password = <cfqueryparam value="#uPassword#" CFSEQLType='CF_SQL_VARCHAR'> </cfquery> <cfif loginQuery.recordcount gt 0> <cfset retargs.authenticated="YES"> <cfset retargs.roles=loginQuery.roles> <cfelse> <cfset retargs.authenticated="NO"> </cfif> <cfreturn retargs>
The example in this section shows how you might implement user security using web-server-based basic authentication and two roles, user and administrator.
This example has two ColdFusion pages:
This simple example does not provide a user log-out interface. You can test the security behavior by adding your own pages to the same directory as the Application.cfc page.