Coldfusion's cfloginuser-Tag: Why is the password required as argument?
https://stackoverflow.com/questions/8926334
-
17-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Why is the password-argument required for cfloginuser-tag and what is it used for? I don't know the clear password in my application, because I'm using password-hash & salt to identify a user at login.
Solution
You really don't need to know the clear password. If you have already executed the logic to login the user, you should already have the hashed password, simply use that. Or, you could even use createUUID() as the password attribute (this is better as the value stored with cflogin will have nothing to do with the user at all).
Point is, it does not matter what you use as ColdFusion does not use that value for anything. I would, however, caution against using the password the user types in, its never a good idea to store the raw, unhashed password anywhere.
OTHER TIPS
I agree. It doesn't make much sense. I do use hash & salt technique too. In the past, I've just set the password attribute of the cfloginuser tag to the value the user has typed in for their password.
