Login error, please help

Hello;
I am creating a new log in for a directory in cf8, I got it locking down the directory, and also allowing you to log in, BUT once your in, and click on a link inside the directory, it kicks you out back to the login form. I know, I read the cfdocs and I haven't found anything about directories accept using the server to lock it down. I don't have server control. So I have to write code to do it for me.

Can someone help me find what has to be changed and what I need to change it 2?

here is my code:

LoginCheck.cfm

<cfparam name="FORM.userLogin" type="string">
<cfparam name="FORM.userPassword" type="string">

<cfquery NAME="getUser" datasource="#APPLICATION.dataSource#">
SELECT user.id, user.Fname, user.Lname
FROM user
WHERE userName =<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.UserLogin#">
AND password =<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.UserPassword#">
</cfquery>

<cfif getUser.recordCount eq 1>
<cflock scope="Session" type="EXCLUSIVE" TIMEOUT="20">
<cfset SESSION.auth = structNew()>
<cfset SESSION.auth.isLoggedin = "yes">
<cfset SESSION.auth.id = getUser.id>
<cfset SESSION.auth.Fname = getUser.Fname>
</cflock>
<cfquery name="updateLoginInfo" datasource="#APPLICATION.dataSource#">
UPDATE user SET
lastLogin = #CreateOdbcDateTime(now())#,
hits = hits+1
WHERE ID = #val(getUser.Id)#
</cfquery>
<cflocation url="admin/index.cfm">
<cfelse>
<cflocation url="sitemanager.cfm?login=#form.UserLogin#&getUser=#getUser.recordCount#" addtoken="no">
</cfif>

Application.cfc (Inside the directory)

<cffunction name="OnRequestStart" output="false" returntype="void">
<cfif NOT isDefined("SESSION.auth.isLoggedIn")>
<cflocation url="../sitemanager.cfm" addtoken="no">
<cfabort>
<cfelseif isDefined("FORM.UserLogin")>
<cfinclude template="../LoginCheck.cfm">
<cflocation url="admin/index.cfm">
</cfif>
</cffunction>

It is much easier to write this in cf8 then it was in cf5 I must admit, less code and done slightly differently, but this one bug is driving me crazy. Any ideas on what to fix?

Thank you

Codemonger

Do you have an Application.cfc in the site root? Does it have the same application name as the Application.cfc in the secured folder? It looks like your session isn't being recognized by the secure folder's Application.cfc.

Yes there is an application.cfc in the root of the site, and then an application.cfc in the locked directory with a link to the proxyapplication.cfc

I think it is in the code, if I read what I wrote correctly, it is asking you to log in every time you go to a new page, I don't want that.


<cfelseif isDefined("FORM.UserLogin")>
<cfinclude template="../LoginCheck.cfm">
<cflocation url="admin/index.cfm">

I think that is what this block of code is doing. I tried a number of ways of changing it and that didn't work. Any better ideas on how to make the code open up the whole directory so you don't have to log in every time?

Is "admin/index.cfm" the place you want them to go if they are already logged in? Then just do.

<cfif NOT isDefined("SESSION.auth.isLoggedIn")>
<cflocation url="../sitemanager.cfm" addtoken="no">
<cfabort>
<cfelseif isDefined("FORM.UserLogin")>
<cfinclude template="../LoginCheck.cfm">
<cfelse>
<cflocation url="admin/index.cfm">
</cfif>

Also, assuming this App.cfc is already in the admin folder, you can just leave that out and do:

<cfif NOT isDefined("SESSION.auth.isLoggedIn")>
<cflocation url="../sitemanager.cfm" addtoken="no">
<cfabort>
<cfelseif isDefined("FORM.UserLogin")>
<cfinclude template="../LoginCheck.cfm">
</cfif>

And it will just let them get to whatever admin page they were going to as long as they are logged in and as long as form.userLogin is not defined.

Ok, I used this code:
<cfif NOT isDefined("SESSION.auth.isLoggedIn")>
<cflocation url="../sitemanager.cfm" addtoken="no">
<cfabort>
<cfelseif isDefined("FORM.UserLogin")>
<cfinclude template="../LoginCheck.cfm">
<cfelse>
<cflocation url="admin/index.cfm">
</cfif>

I get this error:
File not found: /admin/admin/index.cfm

It is adding on an extra admin/ instead of being
admin/index.cfm

Yes there is an application.cfc file in the locked out directory, I also have an application.cfc in root, and it is extended with proxyapplication.cfc for teh locked out directory> (I had to do that, I don't have control of the server)

Now the other code you placed:

<cfif NOT isDefined("SESSION.auth.isLoggedIn")>
<cflocation url="../sitemanager.cfm" addtoken="no">
<cfabort>
<cfelseif isDefined("FORM.UserLogin")>
<cfinclude template="../LoginCheck.cfm">
</cfif>

This allows me to log in, BUT when I click on a link, it kicks me back to sitemanager.cfm.

I was looking into the cflogin tags, not sure if those will give me what I need though. Is it possible to get this code to work?

You probably want to specify an absolute path from the web root, something like

<cflocation url="/admin/index.cfm">

assuming admin is off of your site root.

I tried that, it times out.
Admin folder is a folder in the site root.
http://www.mysite.com/admin/index.cfm

Is this login form in the admin folder? Are you going into an infinite cflocation loop trying to redirect them to the same folder that they're already in? If so you don't need the cflocation at all.

Ok, if I use the code without the location tag, it lets me log in, BUT if I click on a link it tries to kick me out to the sitemanager.cfm log in. So something on the chcklogin.cfm has to change to stop me from having to log in everytime I want to navigate in the admin folder. So if we look at that code, and make it simple, I added extra, this is the code that actually runs the log in:

<cfparam name="FORM.userLogin" type="string">
<cfparam name="FORM.userPassword" type="string">

<cfquery NAME="getUser" datasource="#APPLICATION.dataSource#">
SELECT user.id, user.Fname, user.Lname
FROM user
WHERE userName =<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.UserLogin#">
AND password =<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.UserPassword#">
</cfquery>

<cfif getUser.recordCount eq 1>
<cflock scope="Session" type="EXCLUSIVE" TIMEOUT="20">
<cfset SESSION.auth = structNew()>
<cfset SESSION.auth.isLoggedin = "yes">
<cfset SESSION.auth.id = getUser.id>
<cfset SESSION.auth.Fname = getUser.Fname>
</cflock>
<cflocation url="admin/index.cfm">
<cfelse>
<cflocation url="sitemanager.cfm?login=#form.UserLogin#&getUser=#getUser.recordCount#" addtoken="no">
</cfif>

Now the cfelse, this triggers text on the sitemanager.cfm and gives you texts stating your login was wrong, that's why you get this: sitemanager.cfm?login=#form.UserLogin#&getUser=#getUser.recordCount#

What is wrong on this page since it is an include that is making me have to log on everytime I click a link?

is my timeout too short?

I'm really not sure at this point. What is your session timeout set to? You're sure the two Application.cfc's are using the same application name? You have setClientCookies enabled?

You may want to step back and do a Google search for "coldfusion login example" to go straight to the documentation to try out their example.

Just to let you know, once I let the web site go live, the log in worked fine. Must not have liked being on an ip address for some reason.