Modifying the login code for your application

The Login Wizard creates a basic framework for authenticating a user. You must customize this framework to meet your application's needs. Typical security-related changes include the following:

• Providing user-specific role information in the cflogin tag
• Authenticating users against a database

Providing user-specific role information

The Login Wizard sets all users in a single role. In mm_wizard_authenticate.cfc, the performlogin method is hard-coded to set the role to "user." The authentication routines handle roles differently. (For the details, see the mm_wizard_authenticate.cfc code.) If your application uses roles for authorization, you must change the authentication method to get and return valid role information, and change the performlogin method to use the information in the roles attribute of its cfloginuser tag.

Authenticating users against a database

If you use a database to maintain user IDs and passwords, you can create your login framework by specifying simple authentication, and modify the code to use the database. The following instructions describe a simple way to change the code to use a database. They do not include all the cleanup work (particularly, removing the hard-coded user name and password), that you should do for a well-formatted application.

Replace the following code:

<cfif sUserName eq uUserName AND sPassword eq uPassword>
   <cfset retargs.authenticated="YES">
<cfelse>
   <cfset retargs.authenticated="NO">
</cfif>
<cfreturn retargs>

With code similar to the following:

<cfquery name="loginQuery" dataSource="#Application.DB#" >
   SELECT *
   FROM Users
   WHERE UserName = <cfqueryparam value="#uUserName#" CFSEQLType=
      "CF_SQL_VARCHAR"   AND password = <cfqueryparam value="#uPassword#"
      CFSEQLType="CF_SQL_VARCHAR>"
</cfquery>

<cfif loginQuery.recordcount gt 0>
   <cfset retargs.authenticated="YES">
   <cfset retargs.roles=loginQuery.roles>
<cfelse>
   <cfset retargs.authenticated="NO">
</cfif>
<cfreturn retargs>

Note: For greater security, consider using a hashed password. Do not store the password directly in the database; instead, use the hash function to create a secure password fingerprint, and store it in the database. When the user provides a password, use the Hash function on the submitted string and compare it with the value in the database.

Web server-based authentication user security example

The example in this section shows how you might implement user security using web-server-based basic authentication and two roles, user and administrator.

This example has two ColdFusion pages:

• The Application.cfc page logs the user into the ColdFusion security system and assigns the user to specific roles based on the user's ID.

  This page also includes the one-button form and logic for logging out a user, which appears at the top of each page.

• The securitytest.cfm page is a sample application page. It displays the logged-in user's roles.

This simple example does not provide a user log-out interface. You can test the security behavior by adding your own pages to the same directory as the Application.cfc page.

This section includes the following examples:

• Example: Application.cfc
• Example: securitytest.cfm

View comments in LiveDocs