On 8/20/06, Jochem van Dieten <[EMAIL PROTECTED]> wrote:
>
> Crow T. Robot wrote:
> > 4) Jochem, what is supposed to happen if they don't have an allowed IP,
> a
> > javascript alert is displayed, then when they click "OK", they are
> > redirected to the index page of the main site. What is/was happening is
> > they were just being allowed to see the Word doc as if they were IP
> > authenticated (ie, a "member" of the site).
>
> Any authentication method involving javascript is hard to do right. What
> happens if the user doesn't have javascript enabled?
Yea, good point. Not sure why I didn't catch that and add in the cfabort.
It should be known that the window.location was there, I just failed to put
it into the email. That's the problem with not copying/pasting your code
directly, things get left out. Thanks. I totally understand using js as an
auth scheme sucks.
> in application.cfm (pseudocode, since I'm at home right now and don't have
> > the access to the server at the moment.)
> >
> > <cfquery name="qry_ck_IP">
> > SELECT IP
> > FROM IP_LCK
> > WHERE user_IP = #IP#
> > </cfquery>
> >
> > <cfif qry_ck_IP.RecordCount EQ 0>
> > <javascript>
> > alert("You are not allowed be here. Get out");
> > </javascript>
> > <cfflush>
> > </cfif>
>
> This is not good. What happens if somebody has javascript disabled?
>
>
> > This seems to work. Taking out the cfflush "breaks" my authentication
> > scheme.
>
> Your authentication scheme is broken anyway. Taking out the cfflush just
> makes it more visible that it is broken.
>
>
> What you need is to stop the execution of the page if the user is not
> authenticated. The only correct solution for that is cfabort:
> <cfquery name="qry_ck_IP">
> SELECT IP
> FROM IP_LCK
> WHERE user_IP = #IP#
> </cfquery>
>
> <cfif qry_ck_IP.RecordCount NEQ 1>
> <javascript>
> alert("You are not allowed be here. Get out");
> window.location = 'http://www.disney.com/';
> </javascript>
> <cfabort>
> </cfif>
>
> Jochem
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four
times a year.
http://www.fusionauthority.com/quarterly
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250403
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
