CF Login security

Hey all,

Everything i've done and everywhere I read it seems that the idea of the CFlogin, loginuser, etc tags are used to stop a person from getting to a page without a proper username and password, which is fine.

So as an example...user tries to get to Page A user is not logged in, therefore the forceuserlogin fires and a login screen appears...you enter a username/password and you now have access to all pages that require a username/password.

I know and understand that you can add roles to add the functionality of allowing people to only see certain pages, etc etc.

What i'm trying to do is make it so User A goes to Login.cfm enters their username/password and gets sent to a URL in the database.

So, user A goes to Page A, user B goes to Page B, but user A can't go to Page B...

I think all I need help with is the first page, user A being sent to page A once logged in...limiting where they can go after that I think I know how to accomplish...

Thanks!

Something I don't understand...

what i've been trying to do is use CFlocation to send the user to a page once they are logged in...so...

after this code

<CFLOGINUSER
Name="#GetUser.id#, #GetUser.username#"
Password="#Form.UserPassword#"
Roles="">
add
<cflocation url="whatever">

now, for some reason if I do that, and send the user to a page, they aren't logged in...say I send the user to cnn.com...and then from cnn.com try to jump back to a protected page it won't work.

but, if I take away the cflocation tag and take away the action tag from the login screen page with the CGI_script name to tell the browser that the action is to the page the user was attempting to access...the code will just put you inside the page you are attempting to access, IE. you want to go to admin, once logged in puts you in admin.

And once you are logged in you can access any of the pages that access requires, because you're logged in.

So to review, why is adding the cflocation tag after the login code screw everything up?

Thanks

Not sure, but one idea is that using cflocation is redirecting the user before the cookie is set (assuming you are storing the login info in a cookie in the cfapplication tag or application.cfc file)?

any suggestion of how to work around that?

nevermind, i've got an idea.

You can set the login storage to session. That's if the cookie issue is the problem.

What you suggested is probably the smarter move...but I got it working the way I want, and this is how I did it.

I hardcoded the script to send the users to a particular page...inside that page I have a GetAuthUser() script to pull the ID of the user...then I use that id to grab the url field in the database and a cflocation to send them to that location.

It isn't pretty...but it worked.