Login System in ColdFusion 9

Question

I am working with a very old login system that my company used before on a website that used frames. Before, when someone tried a wrong user/pass combination the frame would load a simple cfinclude file with the login form and an error message on top of it. Now I am using a form in a popup window that calls the application.cfc but instead of getting the error message back on my popup window the page load the cfinclude file from the application component to a new page.

So I need a few things to happen for this application. First, I need the initial popup window to stay up and the page should not submit if the combination of user/pass is wrong, and finally I need the error message to appear somewhere on the popup.

If anyone did something like this before I would really appreciate your feedback.

This is a partial of my code:

Login Form:

<!--- loginErrMsg display - to tell why login is denied --->
<cfif isdefined("loginErrMsg")><span style="color:red">#loginErrMsg#</span><br /></cfif>

<form name="LoginForm" id="LoginForm" action="<cfif test is false>https://secure.example.com</cfif>#loginFormAction#" method="post" target="_top">
</cfoutput>
<input type="hidden" name="loginPost" value="true">
    <p>
      Login below to take advantage of the great services we offer:
    </p>

    E-mail:<input name="j_username" class="loginform" type="text" size="30" maxlength="50" id="j_username"> 
    Password: <input name="j_password" type="password" size="30" maxlength="16" class="loginform">
    <br />

    <input type="submit" name="btn" value="Submit" class="bluebuttonnormal">
    </form>

Application.cfc Code:

<cflogin applicationtoken="swmadmin">
        <cfif NOT IsDefined("cflogin")>
            <cfinclude template="login.cfm">
            <cfabort>
        <cfelse>
            <cfquery name="userlookup" datasource="#ds#">
            SELECT clientadminID, roles, isFaxOnly, acctEnabled FROM clientadmin
            WHERE
            username=<cfqueryparam value="#cflogin.name#" CFSQLTYPE="CF_SQL_VARCHAR" maxlength="50">
            and password=<cfqueryparam value="#cflogin.password#" CFSQLTYPE="CF_SQL_VARCHAR" maxlength="16">
            </cfquery>
            <cfif userlookup.recordcount eq 0>
                <cfset loginErrMsg = "Invalid login.">
                <cfinclude template="login.cfm">
                <cfabort>

    </cflogin>

Answer 1

I am working with a very old login system that my company used before on a website that used frames.

If this is a new website, don't use it. Login forms are a dime a dozen and can be done in your sleep. Start fresh and do it right.

So I need a few things to happen for this application. First, I need the initial popup window to stay up and the page should not submit if the combination of user/pass is wrong, and finally I need the error message to appear somewhere on the popup.

You're going to want to use an AJAX solution here, either write your own or use a good library like jQuery. Once you check the login values you can use jQuery or simple javascript to unhide or update the innerHTML of an empty element to display your error message.

<cflogin ...>
...
</cflogin>

CFLogin makes me sad. Another one of ColdFusion's tags meant to simplify something commonly done that doesn't really help much and sacrifices flexibility. You can get far more control over your application without it. instead of CFLogin, try something like this pseudo code

<cfcomponent>
  <cffunction name = "onRequest" ...>
    <cfargument name="targetPage" type="String" required = "true" />
    <cfif !structKeyExists(session, "roles") and !findNoCase("loginHandler.cfm",cgi.script_name)>
      <!--- notice I prevent the redirect on the form handler, otherwise the ajax will get redirected to the login.cfm page --->
      <cfinclude template = "login.cfm">
    <cfelse>
      <cfinclude template = "#arguments.targetPage#">
    </cfif>
  </cffunction> 
</cfcomponent>

Your login.cfm would then contain your form but your button would fire something like jQuery.post() to "loginHandler.cfm", then depending on the result of the login, your callback function may use jQuery.html() to display the error or window.location.replace / window.location.href if the login was successful. Of course, in the event of a successful login, your ColdFusion page would have to create their session variables and do whatever else you want it to do before sending the result back to your AJAX call.