New in ColdFusion MX, CFLOGIN gives you the ability to use built in ColdFusion tags for your logins, instead of haiving to write a login framework yourself.
The CFLOGIN framework includes 5 new cfml tags and functions: <cflogin> - Indicates that a page requires users to log in before proceeding.
<cfloginuser> - Once the user has provided a valid login, use this tag to tell ColdFusion the user is logged in.
GetAuthUser() - Once the user has logged in, you can use this tag to retrieve the user's information.
IsUserInRole() - If you want different users to have different rights, you can use this function to determine what the user can access.
<cflogout> - If you want to provide a way for users to log out, use this tag.
For the purpose of this example, we are going to be securing our entire application. To do this, we will be using 3 cfml templates.
application.cfm - By using application.cfm, we will be providing security for our entire application. No matter what page on our site a user comes to, they will be prompted for a login. Once the user logs in they will be returned to the page they originally requsted.
login.cfm - This is the login form the user will use to enter their username and password.
login_action.cfm - This is the page that will actually process the login using the CFLOGIN framework.
Application.cfm To begin with, simply place the following lines of code in your existing application.cfm file, or create a new application.cfm file.
<cfapplication name="AppName" sessionmanagement="Yes" sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)# "> <!--- Includes the login template to verify logins for every page. ---> <cfinclude template="login_action.cfm">
<!--- The Login Script below Only Executes if the user has not logged in yet ---> <!--- Once the user has been logged in and verified via the <cflogin> script, the following code within the <cflogin> tags is ignored. ---> <!--- Begin Login Script ---> <cflogin idletimeout="1800"> <!--- SETS the action page of the login form to whatever page the user was trying to go to. Since the login will actually be processed in the application.cfm file (or a template included in it), then the FORM action is the page that will be loaded after the login has been completed. ---> <!--- IF there IS NOT a Query String passed in the URL, only the requested page name is used ---> <cfif CGI.QUERY_STRING IS ""> <cfset FormAction = #CGI.SCRIPT_NAME#> <!--- IF there IS a Query String passed in the URL, it is added to the requested page name. ---> <cfelse> <cfset FormAction = "#CGI.SCRIPT_NAME#?#CGI.QUERY_STRING#"> </cfif> <!--- IF the Username and Password are not present, then the user has not logged in and the login form is displayed and all further processing stops. ---> <cfif NOT (IsDefined ("Form.Username") AND IsDefined ("Form.Password"))> <cfinclude template="login.cfm"> <cfabort> <!--- Else, If the username and password ARE present, the login is processed. ---> <cfelse> <!--- Query gets the information from the database matching the login provided. ---> <CFQUERY NAME="login" DATASOURCE="#DATASOURCE#"> SELECT EmployeeID,FirstName,LastName,Role FROM Employees WHERE (Username = <cfqueryparam value="#Form.Username#" cfsqltype="CF_SQL_VARCHAR"> AND Password = <cfqueryparam value="#Form.password#" cfsqltype="CF_SQL_VARCHAR">) </CFQUERY> <!--- IF there was a matching login record, the user is logged in ---> <cfif login.RecordCount EQ '1'> <cfloginuser name="#login.EmployeeID#, #login.FirstName# #login.LastName#" password="#Form.password#" roles="#trim(login.Role)#"> <!--- IF there WAS NOT a matching record, an "Invalid Login" message is shown and the user is prompted to login again. ---> <cfelse> <!--- Creates the Variable "Invalid" to instruct Login page to display "Invalid Login" Message. ---> <cfset Invalid = "Yes"> <cfinclude template="login.cfm"> <cfabort> </cfif> </cfif> </cflogin>
<!--- These SET statements take the values in the <cflogin> tag's "Name" attribute and seperates them into two seperate variables (EmployeeID and EmployeeName) to be used throughout the application. These variables exist as long as the login session exists. ---> <cfset EmployeeID = ListFirst(GetAuthUser())> <cfset EmployeeName = ListRest(GetAuthUser())>
<form action="<cfoutput>#FormAction#</cfoutput>" method="post"> <!--- IF the variable "Invalid" is defined, the login provided was invalid and an error is show. ---> <cfif IsDefined ("Invalid")> <cfif Invalid EQ "Yes"> <h4 align="center"><font color="#FF0000">Invalid Login. Please Try Again.</font></h4> </cfif> </cfif>
Notice in the <cfloginuser> tag (login_action.cfm) we assign a value to the "Roles" attribute. In our database, there is a specific role assigned to each user (Admin, Manager, Basic User, etc...) When we query the database for the login, we also get the role for that user. Once a role is assigned in the <cfloginuser> tag, we can then use the IsUserInRole() function to check for the user's role throughout our application.
<!--- checks to make sure user has permission to view this page. ---> <cfif IsUserInRole("Admin") OR IsUserInRole("Accounting")> ...You can view this page... <cfelse> ...You can not view this page... </cfif>
The Roles attribute of the <cfloginuser> tag is optional, so you don't have to assign roles if you don't want to.
As mentioned earlier, CFLOGIN also provides a built in <cflogout> feature. This tag is extremely simple to use because that's all there is to it, <cflogout>. So if you want to have a log out feature for your site, just create a logout.cfm page and put <cflogout> in it, then provide a "logout" link pointing to that page.