Crow T. Robot wrote:
> 4) Jochem, what is supposed to happen if they don't have an allowed IP, a
> javascript alert is displayed, then when they click "OK", they are
> redirected to the index page of the main site. What is/was happening is
> they were just being allowed to see the Word doc as if they were IP
> authenticated (ie, a "member" of the site).
Any authentication method involving javascript is hard to do right. What
happens if the user doesn't have javascript enabled?
> in application.cfm (pseudocode, since I'm at home right now and don't have
> the access to the server at the moment.)
>
> <cfquery name="qry_ck_IP">
> SELECT IP
> FROM IP_LCK
> WHERE user_IP = #IP#
> </cfquery>
>
> <cfif qry_ck_IP.RecordCount EQ 0>
> <javascript>
> alert("You are not allowed be here. Get out");
> </javascript>
> <cfflush>
> </cfif>
This is not good. What happens if somebody has javascript disabled?
> This seems to work. Taking out the cfflush "breaks" my authentication
> scheme.
Your authentication scheme is broken anyway. Taking out the cfflush just makes
it more visible that it is broken.
What you need is to stop the execution of the page if the user is not
authenticated. The only correct solution for that is cfabort:
<cfquery name="qry_ck_IP">
SELECT IP
FROM IP_LCK
WHERE user_IP = #IP#
</cfquery>
<cfif qry_ck_IP.RecordCount NEQ 1>
<javascript>
alert("You are not allowed be here. Get out");
window.location = 'http://www.disney.com/';
</javascript>
<cfabort>
</cfif>
Jochem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four
times a year.
http://www.fusionauthority.com/quarterly
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250396
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
