Problem with locking down a directory for log in using cfc

Hello;
I am using a log in I wrote and works nice in CF 5 and 6. Now I am trying to use it in a site on a cf 8 server and it doesn't work. The directory isn't locking down, and the log in doesn't leg me in, it kicks me out back to the log in page. It is the application.cfc file in the directory I am trying to lock down that is doing it. There are 2 application.cfc files in this site, one is in the main directory, that works nice, and this one in the admin directory that is not working properly. I can't figure it out, can someone help me?

Here is my code for all the pages:

sitemanager.cfm
<cfparam name="myLogin" default="">
<cfif isDefined("url.login") and len(trim(url.login)) AND isDefined("url.IsValidLogin") and url.IsValidLogin>
<cfset myLogin = trim(url.login)>
</cfif>
<head>
</head>
<body onLoad="document.form.Login.focus();">
<cfif len(triM(myLogin))>
Please enter a valid password
<cfelseif isDefined("URL.IsValidUser") AND url.IsValidUser eq 0>
Invalid Login/Password.
</cfif>
<cfif #IsDefined("SESSION.user.firstname")#>
<a href="admin/index.cfm" class="navA">You are logged in</a>
</cfif>

<cfform action="login_action.cfm" method="post" name="form">

<cfinput type="Text" name="Login" size="12" class="textInputs" value="#myLogin#" required="yes" message="Please enter a user name for access" maxlength="100">

<cfinput type="Password" name="Pwd" class="textInputs" required="yes" message="Please enter a password for access" size="12" maxlength="20">

<input name="Submit" value="Login" type="image" style="cursor:Hand;" title="Submit Form" onMouseDown="javascript:this.src='img/admin/submitA.gif';" onMouseOver="javascript:this.src='img/admin/submitB.gif';" onMouseOut="javascript:this.src='img/admin/submitA.gif';" src="img/admin/submitA.gif" width="159" height="32" border="0" alt="Log into Site Manager">
</cfform>

login_action.cfm

<cfquery NAME="IsValidLogin" datasource="myDB">
SELECT user.Fname, user.Lname
FROM user
WHERE userName = '#FORM.Login#'
</cfquery>
<cfquery NAME="IsValidUser" datasource="myDB">
SELECT user.id, user.Fname, user.Lname
FROM user
WHERE userName = '#FORM.Login#'
AND password = '#FORM.Pwd#'
</cfquery>
<cfif IsValidUser.RecordCount>
<cflock scope="Session" type="EXCLUSIVE" TIMEOUT="20">
<cfset session.IsValidUser=true>
<cfset SESSION.user.firstname = IsValidLogin.Fname>
<cfset SESSION.user.lastname = IsValidLogin.Lname>
</cflock>

<cfquery name="updateLoginInfo" datasource="myDB">
UPDATE user SET
lastLogin = #CreateOdbcDateTime(now())#,
hits = hits+1
WHERE ID = #val(IsValidUser.Id)#
</cfquery>
<cflocation url="admin/index.cfm" addtoken="no">
<cfelse>
<cflocation url="sitemanager.cfm?login=#form.login#&isValidLogin=#isValidLogin.recordCount#&isValidUser=#isValidUser.recordCount#" addtoken="no">
</cfif>

Application.cfc (In protected directory)

<cfcomponent output="false">
<cfset this.name="mySite">
<cfset this.sessionmanagement=true>


<cffunction name="onApplicationStart" returntype="void" output="false">
<cfset request.datasource = "myDB">
<cfset APPLICATION.companyname = "myCompany">
</cffunction>

<cffunction name="onRequestStart" output="false" returntype="void">
<cfif NOT IsDefined("SESSION.user.firstname")>
<cflocation url="../sitemanager.cfm" addtoken="yes">
</cfif>

<cfif IsDefined("COOKIE.CFID") AND IsDefined("COOKIE.CFTOKEN")>
<cfset cfid_local = COOKIE.CFID>
<cfset cftoken_local = COOKIE.CFTOKEN>

<cfcookie NAME="CFID" VALUE="#cfid_local#">
<cfcookie NAME="CFTOKEN" VALUE="#cftoken_local#">
</cfif>
</cffunction>
</cfcomponent>


Just for kicks, here is the code from the main application.cfc file in the main directory:

Main Application.cfc:

<cfcomponent output="false">
<cfscript>
THIS.name = "myName";
THIS.sessionManagement="yes";
THIS.clientManagement=true;
THIS.applicationTimeout = createTimeSpan(0,0,20,0);
THIS.sessionTimeout = createTimeSpan(0,0,20,0);
THIS.setClientCookies = 1;
THIS.setDomainCookies = 1;
THIS.scriptProtect = "All";
</cfscript>

<cffunction name="onApplicationStart" returntype="boolean" output="false">
<cfset APPLICATION.appStarted = now()>
<cfset APPLICATION.dataSource = "myDB">
<cfset APPLICATION.companyName = "myCompany">
<cfreturn true>
</cffunction>

<cffunction name="onSessionStart" returntype="any" output="true">
<cfquery name="tracking" datasource="myDB" dbtype="ODBC">
INSERT INTO tracking ( REMOTE_ADDR, HTTP_USER_AGENT, TRACK_DATE, PATH_INFO)
VALUES(
<cfqueryparam value="#CGI.REMOTE_ADDR#" cfsqltype="CF_SQL_VARCHAR">,
<cfqueryparam value="#CGI.HTTP_USER_AGENT#" cfsqltype="CF_SQL_VARCHAR">,
<cfqueryparam value="#Now()#" cfsqltype="CF_SQL_TIMESTAMP">,
<cfqueryparam value="#PATH_INFO#" cfsqltype="CF_SQL_LONGVARCHAR">
)
</cfquery>
</cffunction>

<cffunction name="onApplicationEnd" returntype="void" output="false">
<cfargument name="appScope" required="True">

<cflog file="#THIS.name#" text="App ended after #dateDiff('n' , ARGUMENTS.appscope.appStarted,now())# minutes.">
</cffunction>

<cffunction name="onRequestStart" returntype="boolean" output="true">
<cfset request.datasource = "myDB">
<cfset sitePath = "http://www.mysite">


<!--- Session-Tracker Code --->
<cfset SessionTimeout = CreateTimespan(0,0,30,0)>
<cflock name="#THIS.name#"
type="Exclusive"
timeout="20"
throwontimeout="Yes">
<!--- If Session-Tracker does not exist, generate it --->
<cfparam name="APPLICATION.SessionTracker" default=#StructNew()#>

<!--- Log current user --->
<cfset dummy = StructInsert(APPLICATION.SessionTracker, CGI.REMOTE_ADDR, Now(), true)>
</cflock>
</cffunction>
</cfcomponent>

Can anyone help me out? I don't understand why the directory won't lock down and the log in won't work properly.
Thank you.

CodeMonger

You haven't actually said what the problem is. Does it error? Does it do nothing?

My advice would be to trim this down to the smallest example you can create that demonstrates the problem and post that up. What you've posted here is just too much for me to take the time to wade through, but if you can create a small example I'd be happy to try to look at it.

Also very quickly, keep in mind that the Application.cfc in your protected directory runs INSTEAD of the Application.cfc in your root folder. You would need to extend the root CFC and call super.onRequestStart(argumentCollection=arguments) in your protected folder's Application.cfc in order to run the code in the onRequestStart method of the root component if that is what you're trying to do.

Ok. bottom line is this, it doesn't lock down the directory I am trying to pass protect, and if I log in, it just kicks me back to the log in form. The problem is on my application.cfc file. I don't know what I did wrong on it and why it isn't processing the information properly and also locking down the directory. Here is just the application.cfc file that is causing the problem.

<cfcomponent output="false">
<cfset this.name="mySite">
<cfset this.sessionmanagement=true>


<cffunction name="onApplicationStart" returntype="void" output="false">
<cfset request.datasource = "myDB">
<cfset APPLICATION.companyname = "myCompany">
</cffunction>

<cffunction name="onRequestStart" output="false" returntype="void">
<cfif NOT IsDefined("SESSION.user.firstname")>
<cflocation url="../sitemanager.cfm" addtoken="yes">
</cfif>

<cfif IsDefined("COOKIE.CFID") AND IsDefined("COOKIE.CFTOKEN")>
<cfset cfid_local = COOKIE.CFID>
<cfset cftoken_local = COOKIE.CFTOKEN>

<cfcookie NAME="CFID" VALUE="#cfid_local#">
<cfcookie NAME="CFTOKEN" VALUE="#cftoken_local#">
</cfif>
</cffunction>
</cfcomponent>

The rest of the code works on cf 5 - 7, now that I am trying to make a cfc file out of the old application.cfm file that used to work.. it is causing problems.

Thanks

Well you have two different names in these components, so they are not sharing the same application or session scope. So if you set a session variable in the root application, it will never be visible to the subdirectory because it has a different session scope. Try giving them the same name and see if that helps.

However, even if that does work, I'd recommend that you simply extend the root Application component from the Application.cfc in the subfolder, and only override the one method that you are concerned with (onRequestStart). i.e.

<cfcomponent extends="path.to.root.Application">
<cffunction name="onRequestStart" output="false" returntype="void">
<cfif NOT IsDefined("SESSION.user.firstname")>
<cflocation url="../sitemanager.cfm" addtoken="yes">
</cfif>

<cfif IsDefined("COOKIE.CFID") AND IsDefined("COOKIE.CFTOKEN")>
<cfset cfid_local = COOKIE.CFID>
<cfset cftoken_local = COOKIE.CFTOKEN>

<cfcookie NAME="CFID" VALUE="#cfid_local#">
<cfcookie NAME="CFTOKEN" VALUE="#cftoken_local#">
</cfif>
</cffunction>
</cfcomponent>

I took this code you pasted, tweeked it a little and it throws an error:

Could not find the ColdFusion Component or Interface path.to.root.Application.
Ensure that the name is correct and that the component or interface exists.

Resources:

I was reading about extending teh application.cfc to this directory. What could be wrong? I even changed the line using, path.to.root.Application to path.to.root.myAppname
and it still threw an error.

You need to specify the actual path to the target component. I just put "path.to.root" in assuming that you'd replace it with the correct path. This is a dot-delimited path from your web root to the target component.

Ok, I did some reading and fixed it up. Now my directory is locked down, but when I try and log in, it just kicks me out back to the sitemanager.cfm file, my log in page. Any idea what I did wrong?

<cfcomponent output="false" extends="ProxyApplication">

<cffunction name="onRequestStart" returnType="void" output="false">
</cffunction>


<cffunction name="onRequest" returnType="void">
<cfif NOT IsDefined("SESSION.user.firstname")>
<cflocation url="../sitemanager.cfm" addtoken="yes">
</cfif>

<cfif IsDefined("COOKIE.CFID") AND IsDefined("COOKIE.CFTOKEN")>
<cfset cfid_local = COOKIE.CFID>
<cfset cftoken_local = COOKIE.CFTOKEN>

<cfcookie NAME="CFID" VALUE="#cfid_local#">
<cfcookie NAME="CFTOKEN" VALUE="#cftoken_local#">
</cfif>
</cffunction>

<cffunction name="onRequestEnd" returnType="void" output="true">
</cffunction>

</cfcomponent>

I read that writting it this way, by passes some of the main application.cfc code and allows you to run it sepratly, and still uses parts no over ridden. I had to create ProxyApplication.cfc to do it with this code on it:

<cfcomponent extends="Application">
</cfcomponent>

You're still not sharing the same session and application scope between these two components. You need to actually extend the root Application.cfc in the Application.cfc in your subfolder, so that the two share the same application name and thus the same session scope.

So if you site looks like this:

/wwwroot/mysite
/wwwroot/mysite/Application.cfc
/wwwroot/mysite/secured
/wwwroot/mysite/secured/Application.cfc

Then the Application.cfc in the secured directory would use an extends that says extends="mysite.Application" (Extends doesn't need the .cfc extension in it, this is implicit. It does, however, need a dot-delimited path from your web root to the component that you want to extend.)

Hold on! I got it throwing errors on session now! I tweeked it up and now it's going for my session name. This is what I did to my code:

Main Application.cfc
<cfcomponent output="false">
<cfscript>
APPLICATION.name = "myAPP";
APPLICATION.sessionManagement="yes";
APPLICATION.clientManagement=true;
APPLICATION.applicationTimeout = createTimeSpan(0,0,20,0);
APPLICATION.sessionTimeout = createTimeSpan(0,0,20,0);
APPLICATION.setClientCookies = 1;
APPLICATION.setDomainCookies = 1;
APPLICATION.scriptProtect = "All";
</cfscript>

<cffunction name="onApplicationStart" returntype="boolean" output="false">
<cfset APPLICATION.appStarted = now()>
<cfset APPLICATION.dataSource = "myDB">
<cfset APPLICATION.companyName = "myCompany">
<cfreturn true>
</cffunction>

<cffunction name="onSessionStart" returntype="any" output="true">
<cfquery name="tracking" datasource="myDB" dbtype="ODBC">
INSERT INTO tracking ( REMOTE_ADDR, HTTP_USER_AGENT, TRACK_DATE, PATH_INFO)
VALUES(
<cfqueryparam value="#CGI.REMOTE_ADDR#" cfsqltype="CF_SQL_VARCHAR">,
<cfqueryparam value="#CGI.HTTP_USER_AGENT#" cfsqltype="CF_SQL_VARCHAR">,
<cfqueryparam value="#Now()#" cfsqltype="CF_SQL_TIMESTAMP">,
<cfqueryparam value="#PATH_INFO#" cfsqltype="CF_SQL_LONGVARCHAR">
)
</cfquery>
</cffunction>

<cffunction name="onApplicationEnd" returntype="void" output="false">
<cfargument name="appScope" required="True">

<cflog file="#THIS.name#" text="App ended after #dateDiff('n' , ARGUMENTS.appscope.appStarted,now())# minutes.">
</cffunction>

<cffunction name="onRequestStart" returntype="boolean" output="true">
<cfset request.datasource = "myDB">
<cfset sitePath = "http://myWeb">
<cfset sitePath = "http://myWeb/Application.cfc">
<cfset sitePath = "http://myWeb/admin">
<cfset sitePath = "http://myWeb/admin/Application.cfc">
<cfreturn true>
</cffunction>
</cfcomponent>

ProxyApplication.cfc
<cfcomponent extends="Application">
</cfcomponent>

Secure Directory Application.cfc
<cfcomponent output="false" extends="ProxyApplication">

<cffunction name="onRequestStart" returnType="void" output="false">
</cffunction>

<cfif NOT IsDefined("SESSION.user.firstname")>
<cflocation url="../sitemanager.cfm" addtoken="yes">
</cfif>
<cffunction name="onRequest" returntype="void">
<cfif IsDefined("COOKIE.CFID") AND IsDefined("COOKIE.CFTOKEN")>
<cfset cfid_local = COOKIE.CFID>
<cfset cftoken_local = COOKIE.CFTOKEN>

<cfcookie NAME="CFID" VALUE="#cfid_local#">
<cfcookie NAME="CFTOKEN" VALUE="#cftoken_local#">
</cfif>
</cffunction>

<cffunction name="onRequestEnd" returnType="void" output="true">
</cffunction>

</cfcomponent>


Now it is throwing an error from my log in code. Here is the log in code:

<cfquery NAME="IsValidLogin" datasource="myDB">
SELECT user.Fname, user.Lname
FROM user
WHERE userName = '#FORM.Login#'
</cfquery>
<cfquery NAME="IsValidUser" datasource="myDB">
SELECT user.id, user.Fname, user.Lname
FROM user
WHERE userName = '#FORM.Login#'
AND password = '#FORM.Pwd#'
</cfquery>
<cfif IsValidUser.RecordCount>
<cflock scope="Session" type="EXCLUSIVE" TIMEOUT="20">
<cfset session.IsValidUser=true>
<cfset SESSION.user.firstname = IsValidLogin.Fname>
<cfset SESSION.user.lastname = IsValidLogin.Lname>
</cflock>
<!--- query to update the user login information --->
<cfquery name="updateLoginInfo" datasource="myDB">
UPDATE user SET
lastLogin = #CreateOdbcDateTime(now())#,
hits = hits+1
WHERE ID = #val(IsValidUser.Id)#
</cfquery>
<cflocation url="admin/index.cfm" addtoken="no">
<cfelse>
<cflocation url="sitemanager.cfm?login=#form.login#&isValidLogin=#isValidLogin.recordCount#&isValidUser=#isValidUser.recordCount#" addtoken="no">
</cfif>

This is my error now:
Cannot lock Session scope.
Cannot use cflock to lock the application or session shared scopes without these scopes being established through the use of the cfapplication tag. To use the session scope you need to enable session management. Application and/or Session variables must also be enabled in the ColdFusion Administrator.

The error occurred in C:\Websites\4npp8b\login_action.cfm: line 13

11 : </cfquery>
12 : <cfif IsValidUser.RecordCount>
13 : <cflock scope="Session" type="EXCLUSIVE" TIMEOUT="20">
14 : <cfset session.IsValidUser=true>
15 : <cfset SESSION.user.firstname = IsValidLogin.Fname>

This is where I am kind of lost. What do I need to fix on my main application.cfc to make this session work? (and how to I fix it?) I believe that is what it is looking for.

In Application.cfc, you don't set up the properties of the application using the application scope. You must use the THIS scope, i.e.:

this.name = "myAPP";

Also, I still don't understand why you need the ProxyApplication.cfc, or how, if the secured folder's Application.cfc and ProxyApplication.cfc are in a subfolder of the root where the root Application.cfc is, how you're even getting anything in the root Application.cfc file to run when you do something in the subfolder. The subfolder's Application.cfc must extend the root Application.cfc or they will not be sharing any application or session variables.

No, the ProxyApplication.cfc file is in the web site root directory with the main Application.cfc file. All that communication is now working. The .cfc in the protected directory is actually sharing the resources with the main .cfc. Since I posted, I have gotten my error down to what exactly needs to be enabled. Here is my error now:

The requested scope session has not been enabled.
Before session variables can be used, the session state management system must be enabled using the cfapplication tag.

The error occurred in C:\Websites\4npp8b\admin\Application.cfc: line 8

6 :
7 : <cffunction name="onRequest" returntype="void">
8 : <cfif NOT IsDefined("SESSION.user.firstname")>
9 : <cflocation url="../sitemanager.cfm" addtoken="yes">
10 : </cfif>

Now my question is, what code do I add and where in my main .cfc file to enable this session? That seems to be my last hurdle. (I hope). If you need my code again, I can post it, but I think this error is pretty strait forward and my code hasn't changed with the session I am trying to use from my last posts, just the application settings.