Page 2 - Problem with locking down a directory for log in using cfc

Oh I'm familiar with the ProxyApplication.cfc approach, I just don't see why you're using it in this situation instead of just extending the root Application.cfc. The ProxyApplication is only needed if you don't have control of the server and can't create a mapping to the application root. Maybe you fall into this category and it just hasn't come up yet in our discussion.

To answer your question, the reason the user never logs out is because as soon as you clear the session, on the next request your OnSessionStart method runs and re-sets their session data from the cookie variables containing the ID and token. You'd need to destroy these cookies in addition to clearing the session scope when the user logs out.

Another option is to set up something like session.isLoggedIn and set this to false by default. When they log in, set it to true. When they log out, set it back to false. Then, use session.isLoggedIn to test whether the user can access to folder to redirect them to the login page. This avoids having to clear the session scope as well as needing to destroy the cookies.

No I don't have control of the server. (Wish I did, would make life easier) So I am not able to create mappings.

So I need to re write more of the code on my log in to do what you are suggesting? Correct?

Can you show me what I need to tweek? is it only in my application.cfc file or do I need to change my log-in.cfm code as well? (That code is posted on an earlier post and hasn't changed)

Now you understand why I have to do such coding gymnastics. Not hap hazzardly going through, trying to find ways around obsticals that would be easy for me to put into another site if needed.

Thanks for the help so far, I do a lot of reading when I get into a spot, sitting here with my book as well. Just get frustrated sometimes. Being the only programmer here... makes me go to message boards to bounce ideas off others and figure things out. (Know what I mean?)

I'd try something like this since I see you're already setting a session flag called IsValidUser when the user logs in:

<cfcomponent output="false" extends="ProxyApplication">

<cffunction name="onSessionStart" returntype="any" output="true">
<cfset session.isValidUser = false />
<cfif IsDefined("COOKIE.CFID") AND IsDefined("COOKIE.CFTOKEN")>
<cfset cfid_local = COOKIE.CFID>
<cfset cftoken_local = COOKIE.CFTOKEN>
<cfcookie NAME="CFID" VALUE="#cfid_local#">
<cfcookie NAME="CFTOKEN" VALUE="#cftoken_local#">
</cfif>
<cfif NOT session.isValidUser>
<cflocation url="../sitemanager.cfm" addtoken="yes">
</cfif>
</cffunction>

</cfcomponent>

Here is my "log out" code:
<cfset session.isValidUser = false />
<cflocation url="sitemanager.cfm" addtoken="No">

That didn't work Still keeps my session alive. the log in and so on is good still, but it doesn't shut down the session yet. Any other ideas? I trying some here as well, none have worked yet.

Try moving the logic that handles copying the cookies into the session and checking for the session login flag into the OnRequestStart method. I see now the problem is that your logic that redirects the user back to the login screen only runs one time, as session start. Try something like:

<cffunction name="OnRequestStart">
<cfset super.onRequestStart() />
<cfif IsDefined("COOKIE.CFID") AND IsDefined("COOKIE.CFTOKEN")>
<cfset cfid_local = COOKIE.CFID>
<cfset cftoken_local = COOKIE.CFTOKEN>
<cfcookie NAME="CFID" VALUE="#cfid_local#">
<cfcookie NAME="CFTOKEN" VALUE="#cftoken_local#">
</cfif>
<cfif NOT session.isValidUser>
<cflocation url="../sitemanager.cfm" addtoken="yes">
</cfif>
</cffunction>

It throws an error.

Element ISVALIDUSER is undefined in SESSION.


The error occurred in C:\Websites\4npp8b\admin\Application.cfc: line 23

21 : <cfcookie NAME="CFTOKEN" VALUE="#cftoken_local#">
22 : </cfif>
23 : <cfif NOT session.isValidUser>
24 : <cflocation url="../sitemanager.cfm" addtoken="yes">
25 : </cfif>

Try:

<cfif not StructKeyExists(session, 'isValidUser') or not session.isValidUser>
...redirect....
</cfif>

It works! Thank you!

Ok, one last problem on this and it is all good.
On the log in page I have code that tells if you enter the wrong username and or password if your kicked back to the log in, it isn't working either. I made some changes trying to get it to work. Let me post the changes I made:

Sitemanager.cfm:

<cfparam name="myLogin" default="">
<cfif isDefined("url.login") and len(trim(url.login)) AND isDefined("url.IsValidUser") and url.IsValidUser>
<cfset myLogin = trim(url.login)>
</cfif>
<head>
</head>
<body>
<cfif len(triM(myLogin))>
Please enter a valid password
<cfelseif isDefined("URL.IsValidUser") AND url.IsValidUser eq 0>
Invalid Login/Password.
</cfif>
<!--- from here on works, it is the form and the you are logged in link --->

<cfif #IsDefined("SESSION.user.firstname")#>
<a href="admin/index.cfm" class="navA">You are logged in</a>
</cfif>
<cfform action="login_action.cfm" method="post" name="form">
<!--- form inputs go here --->
</cfform>
</body>

The code on the top of this page and b4 the form isn't working accept the link that says, you are logged in, that one is working.

I made changes to the log in page, here it is incase it makes a difference:

<cfquery NAME="IsValidUser" datasource="myDB">
SELECT user.id, user.Fname, user.Lname
FROM user
WHERE userName =<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.Login#">
AND password =<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.Pwd#">
</cfquery>
<cfif IsValidUser.RecordCount>
<cflock scope="Session" type="EXCLUSIVE" TIMEOUT="20">
<cfset session.IsValidUser=true>
<cfset SESSION.user.firstname = IsValidUser.Fname>
<cfset SESSION.user.lastname = IsValidUser.Lname>
</cflock>
<!--- query to update the user login information --->
<cfquery name="updateLoginInfo" datasource="myDB">
UPDATE user SET
lastLogin = #CreateOdbcDateTime(now())#,
hits = hits+1
WHERE ID = #val(IsValidUser.Id)#
</cfquery>
<cflocation url="admin/index.cfm" addtoken="no">
<cfelse>
<cflocation url="sitemanager.cfm?login=#form.login#&IsValidUser=#IsValidUser.recordCount#&isValidUser=#isValidUser.recordCount#" addtoken="no">
</cfif>

One other question, how would I put the 2nd query into a <cfqueryparam>? Not sure of the syntax for date/time yet.

The code on teh sitemanager.cfm is the only code not working. the rest is good. Thanks again!

The code that displays the error messages is looking for URL variables like url.isValidUser and url.login. Are those being passed to the sitemanager.cfm page in the URL? In other words, when you log in incorrectly and you get to the sitemanager.cfm file where you expect to see the error messages, do you see these values in the URL?

This is what I get in the url. (I believe the message is showing up in the url).

This is the url when I just try and get into the admin area without logging in:
http://0.0.0.0/sitemanager.cfm?CFID=4047875&CFTOKEN=37624176

This is the url when I try and log in with the wrong info:
http://0.0.0.0/sitemanager.cfm?login=john&IsValidUser=0&isValidUser=0

Those are what show up in the address bar if you don't log in properly. It used to trigger the text on the sitemanager.cfm, but cf-8 seems to have changed those rules.

Your problem seems to be that you're using & instead of just & in the cflocation, try changing it to

<cflocation url="sitemanager.cfm?login=#form.login#&IsValidUser=#IsValidUser.recordCount#&isValidUser=#isValidUser.re cordCount#" addtoken="no">

It throws this error:
cannot convert the value "0,0" to a boolean


The error occurred in C:\Websites\4npp8b\sitemanager.cfm: line 4

2 :
3 : <cfparam name="myLogin" default="">
4 : <cfif isDefined("url.login") and len(trim(url.login)) AND isDefined("url.IsValidUser") and url.IsValidUser>
5 : <cfset myLogin = trim(url.login)>
6 : </cfif>

Sitemanager code is causing the problem now.

You're passing isValidUser twice in the URL so it's coming through as a list. Remove one of them.

Not to be too critical, but if you would have dumped the URL scope as I recommended, you would have seen that the value is there twice.

That works now. (Sorry about dumping the url, missed that in your message.) is there a way to make this last string work?

<cfif len(triM(myLogin))>

This sets off if someone tries to go directly to the admin and doesn't enter username and password. this is the code in the url: http://0.0.0.0/sitemanager.cfm?CFID=4047875&CFTOKEN=37624176
Do I set it off from cftoken?