Adobe ColdFusion 8

Example: securitytest.cfm

The securitytest.cfm page shows how any application page can use ColdFusion user authorization features. The web server ensures the existence of an authenticated user, and the Application.cfc page ensures that the user is assigned to roles the page content appears. The securitytest.cfm page uses the IsUserInAnyRole and GetAuthUser functions to control the information that is displayed.

The securitytest.cfm page consists of the following:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
    <title>Basic authentication security test page</title>
</head>

<body>
<cfoutput>
    <h2>Welcome #GetAuthUser()#!</h2>
</cfoutput>

ALL Logged-in Users see this message.<br>
<br>
<cfscript>
    if (IsUserInRole("admin"))
        WriteOutput("Users in the admin role see this message.<br><br>");
    if (IsUserInRole("user"))
        WriteOutput("Everyone in the user role sees this message.<br><br>");
</cfscript>

</body>
</html>

Reviewing the code

The following table describes the securitytest.cfm page CFML code and its function:

Code

Description

<cfoutput> <h2>Welcome #GetAuthUser()#!</h2> </cfoutput>

User is already logged in by Application.cfc. Displays a welcome message that includes the user's login ID.

ALL Logged-in Users see this message.<br> <br>

Displays this message in all cases. The page does not display until a user is logged in.

<cfscript> if (IsUserInRole("admin")) WriteOutput("Users in the admin role see this message.<br><br>"); if (IsUserInRole("user")) WriteOutput("Everyone in the user role sees this message.<br><br>"); </cfscript>

Tests whether the user belongs to each of the valid roles. If the user is in a role, displays a message with the role name.

The user sees one message per role to which the user belongs.

Application-based user security example

The example in this section shows how you might implement user security by authenticating users and then allowing users to see or use only the resources that they are authorized to access.

This example has three ColdFusion pages:

  • The Application.cfc page contains the authentication logic that checks whether a user is logged in, requests the login page if the user is not logged in, and authenticates the data from the login page. If the user is authenticated, it logs the user in.

    This page also includes the one-button form and logic for logging out a user, which appears at the top of each page.

  • The loginform.cfm page displays the login form. The code on this page could also be included in Application.cfc.
  • The securitytest.cfm page is a sample application page. It displays the logged-in user's roles.

You can test the security behavior by adding your own pages to the same directory as the Application.cfc page.

The example gets user information from the LoginInfo table of the cfdocexamples database that is installed with ColdFusion. You can replace this database with any database containing UserID, Password, and Roles fields. The sample database contains the following data:

UserID

Password

Roles

BobZ

Ads10

Employee,Sales

JaniceF

Qwer12

Contractor,Documentation

RandalQ

ImMe

Employee,Human Resources,Manager

Because spaces are meaningful in roles strings, you should not follow the comma separators in the Roles fields with spaces.