Application.cfm Not Preventing Access

Sun, 16 Apr 2000 11:28:19 -0700 

Howdy,

I use the application.cfm file in the "admin" directory (one level down
from the application's root directory) to prevent unauthorized entry to
the admin section if the administrator isn't logged in.  This has
satisfactorily worked for several applications I've built based on the
code below....until now.

I created a directory called "logs" under the admin directory and placed
a copy of a log analysis reports page in it for the client to review
their traffic stats.  If I type the complete URL path
(http://www.domainnamehere.com/admin/logs/report.html) to the log
reports page in my browser without logging in as the site administrator,
it calls up the page without throwing me over to the login page first.

Any ideas where this is going wrong?  Code follows:

Application.cfm:
<!--- declare application framework initial parameters --->

<!--- Include main application file --->
<cfinclude template="../application.cfm">

<!--- For starters, set client logged in to "false" --->
<cfparam name="Session.AdminLoggedIn" default=FALSE>
<cfparam name="Session.Goto" default="">

<!--- Install custom error pages --->
<CFERROR TYPE="REQUEST" TEMPLATE="../requesterr.cfm"
MAILTO="[EMAIL PROTECTED]">
<CFERROR TYPE="VALIDATION" TEMPLATE="../validationerr.cfm">

<!---   If user is not yet logged in, and not currently on the login
pages, redirect them there. --->

<cfif Not Session.AdminLoggedIn>
<!--- Store the name of the page the user came from so they can return
to it after login --->
        <cfset Session.Goto = #CGI.SCRIPT_NAME#>
        <cfif CGI.QUERY_STRING NEQ "">
        <cfset Session.Goto = #CGI.SCRIPT_NAME# & "?" & '#CGI.QUERY_STRING#'>
        </cfif>

        <cfif (CGI.SCRIPT_NAME IS NOT "/admin/login.cfm") AND (CGI.SCRIPT_NAME
IS NOT "/admin/authenticate.cfm")>
        <cflocation url="/admin/login.cfm" addtoken="no">
        </cfif>
</cfif>

Thanks for any insight.

Chris Montgomery
=========================================================
astutia.com -> http://www.astutia.com  [EMAIL PROTECTED]
  Astute e-business applications & web site development
      210-490-3249/888-745-7603   Fax 210-490-4692
Allaire Consulting Partner/Authorized NetObjects Reseller
  Find a Job in San Antonio ->  http://www.sajobnet.com
=========================================================

------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to