One theory on security is that you should not tell the user the reason you could not
verify their information.
"Aha, says the hacker. I just found out a valid username."
That aside.. I'm not seeing too much wrong with the code. Since you are using the
CFPARAM tag, you should not
be experiencing a reset (as suggested below).
If I wanted to take a guess:
I would check the values of CGI.SCRIPT_NAME to make sure that they are actually
"LOGIN.CFM" or "RESULTS.CFM".
If you are not in the root directory of your web server, they will contain the full
path, relative to the root
directory of your server. (at least that is what Apache does).
Is the CGI.SCRIPT_NAME variable set before the page runs?
I would set my efforts there.
Bryan LaPlante wrote:
> Suggestion here, not sure if it will solve your problem. It look like
> application.cfm is resetting the session.LoggedIn to false every time it
> loads. you might want to only declare it in the application.cfm file and
> then only change it in the login form. Another thing to consider is when you
> offer the login form from the application.cfm file try using cfinclude
> index.cfm and then cfabort to avoid changing the session.LoggedIn variable
> before the username password is submitted.
>
> When I build a secure login I wrap the cfinclude to the login page with a
> condition that looks for NOT isDefined("session.LoggedIn") and then offers
> the login form and aborts processing. That way next run of the page after
> the login form has queried the datasource and set the session.logged in var
> the login form will not be offered.
>
> Sometime when your not so tired go and read the docs on the security manager
> I built. I found a way to use two custom tags and never have to write that
> security code again and again. The security manager comes with a user
> manager that can be delivered to your clients to utilize security in there
> own site.
> Go to http://www.netwebapps.com/remotedev2001/index.htm and click on the
> documentation tab, see security help item.
>
> ----- Original Message -----
> From: "Wayne Putterill" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Sunday, February 18, 2001 12:40 PM
> Subject: Help! have to login twice?
>
> > It's 6.30 on a Sunday night, my brain is fried and I need help to spot an
> > error, otherwise the Allaire Demon will haunt my sleep tonight ;)
> >
> > I am trying to get a login system working reusing some code from another
> > site, I think it was originally from a tutorial somewhere, it works but
> > always throws out the first attempt to login - i.e. you put in a correct
> > username & password and it rejects them, enter again and no problem, you
> are
> > logged in.
> >
> > There are three pages involved -
> >
> > index.htm
> >
> > Just a form which calls results.cfm with userid and password
> >
> > results.cfm
> >
> > <cflock timeout="2" throwontimeout="No" type="EXCLUSIVE" scope="SESSION">
> > <CFSET Session.LoggedIn = FALSE>
> > </cflock>
> >
> > <CFQUERY name="CheckUser" datasource="interlink">
> > SELECT loginid, password, name, company_id, email
> > FROM members
> > WHERE loginid = '#Form.UserID#'
> > </CFQUERY>
> >
> > <CFIF CheckUser.RecordCount GREATER THAN 0>
> > <CFIF CheckUser.password IS Form.PassWord>
> > <cflock timeout="2" throwontimeout="No" type="EXCLUSIVE"
> scope="SESSION">
> > <CFSET Session.LoggedIn = TRUE>
> > <CFSET Session.UserID = CheckUser.loginid>
> > <CFSET Session.Username = CheckUser.name>
> > <CFSET Session.member_id = CheckUser.company_id>
> > <CFSET Session.email = CheckUser.email>
> > </cflock>
> > <CFELSE>
> > <CFSET Reason = "the password you\'ve typed is invalid. Try again">
> > </CFIF>
> > <CFELSE>
> > <CFOUTPUT>
> > <CFSET Reason = 'I could not find a user named #Form.UserID# here.'>
> > </CFOUTPUT>
> > </CFIF>
> >
> > <CFIF Session.LoggedIn>
> > <SCRIPT LANGUAGE="JavaScript">self.location ='members.cfm';</SCRIPT>
> > <CFELSE>
> > <CFOUTPUT>
> > <SCRIPT>alert("Sorry! Your login was unsuccessful because #Reason#");
> > self.location="index.htm"; </SCRIPT>
> > </CFOUTPUT>
> > </CFIF>
> >
> >
> > application.cfm
> >
> > <CFAPPLICATION NAME="memberslogin" SESSIONMANAGEMENT="Yes"
> > SESSIONTIMEOUT="#CreateTimeSpan(0,0,15,0)#"
> > APPLICATIONTIMEOUT="#CreateTimeSpan(0,0,15,0)#">
> >
> > <cflock timeout="2" throwontimeout="No" type="EXCLUSIVE" scope="SESSION">
> > <CFPARAM name="session.LoggedIn" DEFAULT="FALSE">
> > </cflock>
> >
> > <cfoutput>
> > <CFIF #session.LoggedIn# IS "FALSE">
> > <CFIF (CGI.SCRIPT_NAME IS NOT "index.htm" AND CGI.SCRIPT_NAME IS NOT
> > "results.cfm")>
> > <SCRIPT LANGUAGE="JavaScript">alert("The system has detected an invalid
> > login.
> > You will be prompted for your login/password again.");
> > self.location ='index.htm';
> > </SCRIPT>
> > </CFIF>
> > </CFIF>
> > </cfoutput>
> >
> > I just know this is going to be a "Doh!" moment, but thanks in advance to
> > anyone who can slap me on the head and point out to me where I am making a
> > fool of myself.
> >
> > Wayne Putterill
> > [EMAIL PROTECTED]
> >
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
