Henry,
First of all, the way the code is written, the lock would need to be an
Exclusive lock because you are Writing the session var. If you were only
writing the request var from the session, it could be a readonly, but since
you are also writing the session, it must be exclusive. Next, you should
always be wary of setting one variable to another without checking to see if
it exists first. There are times that you want to check, and other times not
to. If you're not going to check, I'd suggest param'ing those variables
ahead of time.
Now, let's look at the logic.. if the session variable is not set, go to
login. Therefore, you need to make that check in your application.cfm:
<cflock type="readonly" ...>
<cfif NOT IsDefined("session.UID")>
<cfinclude template="login.cfm">
<cfabort>
</cfif>
</cflock>
There are a couple of ways to do the actual login... if you can or don't
mind using cflocation, it's a little easier. If you can't or dont like using
cflocation, then it's basically the same thought process, but there are
other things to then think about. Let's use cflocation...
I would do it like this...
Have the login.cfm page first look for the existence of the form.username
and form.password (or whatever you call them) variables. If they exist,
authenticate them against your database, and if it authenticates, then set
your session var. Then you cflocation to CGI.path_info, which is the URL
that the user originally tried to go to. If username and password form vars
do not exist, show the login form. The login form also actions to
CGI.path_info to work through this same path.
<cfif IsDefined("form.username") AND IsDefined("form.password")>
<cfquery name="myQuery">...</cfquery>
<cfif myQuery.recordCount>
<cfset session.uid = myquery.uid>
</cfif>
<cflocation url="#CGI.Path_Info#" addtoken="No">
<cfelse>
<!--- login form --->
<cfoutput><form action="#CGI.path_info#">...</form></cfoutput>
</cfif>
I should note the reason for using CGI.path_info... I like it because, a
user can sift through forever without logging in, as long as they do not hit
a member only page. When they do, this process will reserve the URL that
they clicked on, and after they login, they will see the page that they were
originally headed to.
So in a nutshell, here's what's going on...
Hit Application.cfm... it looks for session.uid. If that doesnt exist, it
includes the login page.
The login page checks for form vars. If they do not exist, the user sees the
login form.
The login form submits to the same URL that the user originally clicked on.
The form submit goes through Application.cfm which checks for session.uid.
It doesnt see it... includes login.cfm.
Login page checks for form vars. They now exist. We check against the
database.
If it passes we set the session var and cflocation to the same URL again.
We get to Application.cfm, it sees the session var and we proceed logged in.
IF it failed the database check, we still cflocation to the same URL.
But when it hits the Application.cfm check for session, it wont exist and
you will go to the login page.
The login page will no longer see the form vars and the user will see the
login form again.
Now, you may want to add a few things to this... maybe a way of passing a
message to the login form if they failed the database check to say that the
username and password were invalid. Maybe use URL, client, or even session
variables for that. The other thing you may consider is to alter the
Application.cfm like so:
<cflock scope="session" type="readonly" ...>
<cfif NOT IsDefined("session.UID")>
<cfinclude template="login.cfm">
<cfabort>
<cfelse>
<cfset request.UID = session.UID>
</cfif>
</cflock>
This way, from this point on, you won't have to look for session vars or
worry about locking for the rest of the request. Do all of your checks on
request.uid. You can also be assured that the session/request var will exist
on all templates.
Just a reminder... there are many ways of doing this. If you don't like this
way, there are plenty of others. I would suggest that you comment the flow
as psuedocode (like I did above) before you write the code. This will help
to make sure that you have the logic down properly and you cover all of your
bases.
I hope that this was able to help somewhat.
Jeremy
<standard_disclaimer>
None of this code has been tested. Complete thoughts and error checking were
left out to aid readability and understandability.
</standard_disclaimer>
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 26, 2002 3:41 PM
To: [EMAIL PROTECTED]
Subject: Seesion variable
Does anybody know how properly setup a session variable? I want to setup
session var in one page and check if it exists using IsDefined
("session.uid") in another page. In the application.cfm
I have session management opened:
<CFAPPLICATION NAME="Feedback"
SETCLIENTCOOKIES="Yes"
APPLICATIONTIMEOUT="#CreateTimeSpan(1,0,0,0)#"
SESSIONMANAGEMENT="Yes"
SESSIONTIMEOUT="#CreateTimeSpan(0,8,0,0)#">
<CFSETTING SHOWDEBUGOUTPUT="no">
The variable is setup in login.cfm
<CFLOCK TIMEOUT="5" THROWONTIMEOUT="Yes" TYPE="ReadOnly" SCOPE="SESSION">
<CFSET session.uid = GetUser.uid>
<CFSET request.uid = session.uid>
</CFLOCK>
When I check session.iud in another page (index.cfm) it always does not
exist:
<CFIF (NOT IsDefined("session.uid"))>
<CFINCLUDE TEMPLATE="forms/login.cfm">
</CFIF>
As a result my login screen alwas opens. Please help.
Henry
-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com
-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org
-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com
-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org
