Question

Im trying to create an admin area but cannot get a login system to work. I have three parts to this. The login.cfm page, login_action.cfm and the app.cfc.

When using this code, and try and login it only stays on the same page.

Login.cfm

<form name="fLogin" id="fLogin" action="<cfoutput>#FormAction#</cfoutput>" method="post">
  <label>Username:</label>
  <input type="text" name="username" required>
  <label>Password:</label>
  <input type="password" name="Password" required>
  <br>
  <input type="submit" id="sub" value="Login">
</form>

Login_action.cfm

<cflogin idletimeout="1800">   

<!--- SETS the action page of the login form to whatever 
      page the user was trying to go to.  Since the login 
      will actually be processed in the application.cfm file 
      (or a template included in it), then the FORM action 
      is the page that will be loaded after the login has 
      been completed. --->    

<!--- IF there IS NOT a Query String passed in the URL, 
      only the requested page name is used ---> 

<cfif CGI.QUERY_STRING IS "">       
   <cfset FormAction = #CGI.SCRIPT_NAME#>    
<cfelse>        
   <cfset FormAction = "#CGI.SCRIPT_NAME#?#CGI.QUERY_STRING#">    
</cfif>

<cfif not (isDefined("cookie.XXXX.email"))>
  <cfif NOT (IsDefined ("Form.username") AND IsDefined ("Form.Password"))>        
    <cfinclude template="login.cfm"> 
    <cfabort>
  <cfelse>
    <cfif IsDefined("Form.username")>
      <cfset username = #Form.username#>   
    </cfif>

    <CFQUERY NAME="login">            
      select * from t_admin where username = '#username#'      
    </CFQUERY>

    <cfif login.RecordCount gt 0>
      <cfif #Form.password# eq "#login.password#">
        <cfloginuser name="#username#" password="#login.password#" roles="admin">
        <cfcookie name="XXXX.email" value="#login.email#" expires="never" >
        <cfset session.userId = #login.id#>
      <cfelse>
        <cfset Invalid = "Yes">
        <cfinclude template="login.cfm">  
        <cfabort>
      </cfif> 
    </cfif>  
  </cfif>
<cfelse>
   <CFQUERY NAME="cookielogin">            
     select * from t_admin where email = '#cookie.XXX.email#'      
   </CFQUERY>

   <cfloginuser name="#cookielogin.email#" password="#cookielogin.password#" roles="admin">
   <cfset session.userId = #cookielogin.id#>
   <cfset session.email = #cookielogin.email#>
</cfif>

</cflogin>

and Application.cfc.

<cffunction name="OnRequestStart">
  <cfinclude template="login_action.cfm">
  <cfif isDefined ('cookie.XXXX.email')>
    <cfset session.email = cookie.XXXX.email>
  </cfif> 
</cffunction>

If anyone could help that'll be great thanks

No correct solution

OTHER TIPS

There are quite a lot of fundamental mistakes in this code.

  • Don't build an URL with the query string that came from the browser. You cannot trust anything that comes from the browser, therefore you must not use anything without scrubbing it down. Things like this are asking for trouble:

    <cfset FormAction = "#CGI.SCRIPT_NAME#?#CGI.QUERY_STRING#">
    
  • Generally don't ever write anything to the HTML of your page that came from the user without properly sanitizing and HTML-encoding it. Use HTMLEditFormat() and URLEncodedFormat() extensively.

  • Don't ever use user-supplied values to build an SQL string. There is <cfqueryparam>, use it. This is bad and wrong:

    select * from t_admin where username = '#username#'      
    
  • While we're at it: Don't ever use select * in production code.

  • Don't ever store plain text passwords in a database. This is a big thing, you really must fix that before you do anything else. ColdFusion provides a number of hashing algorithms, use them (and read about salted hashes).
  • Is the login form sent through HTTPS? (Everything in that application should probably be HTTPS, but the login form absolutely must be.)
  • Login cookies should be marked as secure and httponly (see) to prevent session hijacking.
  • Login cookies that expire never might be not a good idea. Depends.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top