> > How can I
> > ensure that someone could only access the admin page via
> > the login page?
>
> Doesnt the web application framework say to put the login
> stuff into an
> application.cfm ? Thus insuring it always gets called before
> a page is shown
This is a trimmed-down version of how I secure a directory (more or less
exactly what Phoeun suggested).
In Application.cfm, default your session variables and do the security
checks:
<!--- session variables --->
<CFPARAM NAME="session.LoggedIn" DEFAULT="no">
....
<!--- Secures the /admin/ directory and it's subdirectories --->
<CFIF cgi.SCRIPT_NAME CONTAINS "/admin/"
AND cgi.SCRIPT_NAME IS NOT "/admin/index.cfm"
AND cgi.SCRIPT_NAME IS NOT "/admin/validateuser.cfm"
AND session.LoggedIn IS NOT "yes">
<CFSET session.ErrorMessage = "You are not authorised to view this area
of the website.">
<CFLOCATION URL="/admin/index.cfm" ADDTOKEN="no">
</CFIF>
index.cfm has a login form and checks for the existance of the
session.ErrorMessage variable. If there is one, it displays and deletes it
(useful for setting an error message and throwing a user out of an area, in
case they bookmarked the URL like you suggested).
<CFIF IsDefined("session.ErrorMessage")>
<P CLASS="error">#session.ErrorMessage#</P>
<CFSET variables.Result = StructDelete(session, "ErrorMessage")>
</CFIF>
<FORM ACTION="/admin/validateuser.cfm" METHOD="post">
Username: <INPUT TYPE="text" SIZE="15" NAME="Username"><BR>
Password: <INPUT TYPE="password" SIZE="15" NAME="Password"><BR>
<INPUT TYPE="submit" VALUE="Login">
</FORM>
validateuser.cfm handles the form checking to see if they have the correct
username / password combo:
<!--- If they have tried to access this page by typing in the URL --->
<CFIF NOT IsDefined("form.Username") OR NOT IsDefined("form.Password")>
<CFSET session.ErrorMessage = "Please login to this secured area with
your Username/Password.">
<CFLOCATION URL="/admin/" ADDTOKEN="no">
</CFIF>
<!--- See if there is a record in the db for this username / password -->
<CFQUERY DATASOURCE="#request.DSN#" NAME="ValidateUsername">
SELECT Accounts.Username,
FROM Accounts
WHERE Accounts.Username = '#form.Username#'
AND Accounts.Password = '#form.Password#';
</CFQUERY>
<CFIF NOT ValidateUsername.RecordCount>
<CFSET session.ErrorMessage = "Sorry, but that is not a valid
Username/Password combination.">
<CFSET session.LoggedIn = "no">
<CFLOCATION URL="/admin/index.cfm" ADDTOKEN="no">
<CFELSE>
<CFSET session.LoggedIn = "yes">
<CFLOCATION URL="/admin/welcome.cfm" ADDTOKEN="no">
</CFIF>
If the user login was successful, they get to see the page at welcome.cfm
Anyway, hope this helps.
--
Aidan Whitehall <[EMAIL PROTECTED]>
Netshopper UK Ltd
Advanced Web Solutions & Services
http://www.netshopperuk.com/
Telephone +44 (01744) 648650
Fax +44 (01744) 648651
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
