There are quite a lot of fundamental mistakes in this code.
Don't build an URL with the query string that came from the browser. You cannot trust anything that comes from the browser, therefore you must not use anything without scrubbing it down. Things like this are asking for trouble:
<cfset FormAction = "#CGI.SCRIPT_NAME#?#CGI.QUERY_STRING#">
Generally don't ever write anything to the HTML of your page that came from the user without properly sanitizing and HTML-encoding it. Use
HTMLEditFormat()
andURLEncodedFormat()
extensively.Don't ever use user-supplied values to build an SQL string. There is
<cfqueryparam>
, use it. This is bad and wrong:select * from t_admin where username = '#username#'
While we're at it: Don't ever use
select *
in production code.- Don't ever store plain text passwords in a database. This is a big thing, you really must fix that before you do anything else. ColdFusion provides a number of hashing algorithms, use them (and read about salted hashes).
- Is the login form sent through HTTPS? (Everything in that application should probably be HTTPS, but the login form absolutely must be.)
- Login cookies should be marked as
secure
andhttponly
(see) to prevent session hijacking. - Login cookies that expire never might be not a good idea. Depends.