#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2014
    Posts
    11
    Rep Power
    0

    Paralysis by Analysis on Application.cfm


    I've been trying to set up Application.cfm to work with cfldap for securing web pages, pretty standard stuff but there's so much out there, and so many different ways to do it, that my head is spinning.

    My cfldap works, I'm authenticating users against our AD, but I'm having trouble adding Application.cfm to the mix.

    Could you link me to a tutorial, or provide an outline of the steps? I've got Application.cfm, a login form, and then I need some code on each page that checks for is logged in, is authenticated, whatever we want to call it, with an answer of "No" sending the user back to the login page.

    Thanks
  2. #2
  3. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,307
    Rep Power
    971
    I don't know of any detailed tutorials on building a custom authentication and authorization system. You can Google around, or I suspect some of the books on CF will contain sections on security. There are MVC frameworks like ColdBox that include security modules, but that would only work if you use (or convert to) ColdBox. True and robust app security is actually a very complex problem, so if you're building your own, you really need to know what you're doing. Especially if the site is public.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2014
    Posts
    11
    Rep Power
    0
    Not a public site, just an intranet site that will only be used by IT staff.

    I got it working a little bit using Application.cfc, but when I got to the main menu, anything I click on in the main menu takes me back to the login page, so I guess I'm not passing something.

    I'm home now, but if I post some of the code when I get back to work tomorrow, could you take a look at it and see what I might be missing?

    Thanks
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2014
    Posts
    11
    Rep Power
    0
    OK here's what I've been able to piece together so far.

    <cfcomponent>
    <cfset This.name = "PassMaint">
    <cfset This.ApplicationTimeout= CreateTimeSpan(0,0,15,0)>
    <cfset This.Sessionmanagement="True">
    <cfset This.loginstorage="session">

    <cffunction name="OnRequestStart">

    <cfargument name = "request" required="true"/>
    <cfif IsDefined("Form.logout")>
    <cflogout>
    </cfif>

    <cflogin>
    <cfif NOT IsDefined("cflogin")>
    <cfinclude template="loginform.cfm">
    <cfabort>
    <cfelse>
    <cfif cflogin.name IS "" OR cflogin.password IS "">
    <cfoutput>
    <h2>You must enter text in both the User Name and Password fields.
    </h2>
    </cfoutput>
    <cfinclude template="loginform.cfm">
    <cfabort>
    <cfelse>
    <cftry>
    <cfldap action="Query"
    name="LoginQuery"
    attributes="sAMAccountName"
    start="dc=hhsc,dc=org"
    scope="SUBTREE"
    maxrows="1"
    server="myserver"
    username="hhsc\#form.j_username#"
    password="#form.j_password#">
    <cfcatch type="ANY">
    <cfoutput>
    <H2>Your login information is not valid.<br>
    Please Try again</H2>
    </cfoutput>
    <cfinclude template="loginform.cfm">
    <cfabort>
    </cfcatch>
    </cftry>
    </cfif>
    </cfif>
    </cflogin>

    <cfif GetAuthUser() NEQ "">

    <cflocation url="passmaint.cfm" addtoken="false">

    </cfif>

    </cffunction>
    </cfcomponent>

    The LDAP authentication works, I get the appropriate response when entering a correct or an incorrect user id. However, on entering a correct user id, it just keeps going back to the login page.

    All I'm looking for here is a way to secure the pages on a small intranet site for about 14 users. If there's a simpler way to do this, I'm all ears.

    Thanks
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2014
    Posts
    11
    Rep Power
    0
    Nevermind, got it working. Took a little simpler approach and defined session variables in application.cfm instead of .cfc, set the session variable to true on successful login, then just did a check on each page in the directory for that variable being true with a redirect to the login page if the variable was false.

    Not pretty or sophisticated but will work for what we need. Can make improvements down the road as I get better with this.

    Thanks

IMN logo majestic logo threadwatch logo seochat tools logo