I would like to know how to create a login area for different users

[Aleksander]

I want a 'login message' to pop up, with loginname and password (stored in a Access database). <br>And then they login to their own personal pages (stored in different directories).<br><br>Thanks <br>Aleksander<br><br>(I`m very new at this, so please describe as much as possible)

 

[DarkMan]

If you don't already have an Application.cfm page, create one and put this tag in it:<br><FONT FACE=monospace><b><br>&lt;CFAPPLICATION NAME=&quot;myapp&quot; CLIENTMANAGEMENT=&quot;Yes&quot; SESSIONMANAGEMENT=&quot;Yes&quot;&gt;<br></b></font><br><br>Make a login.cfm page, something like:<br><FONT FACE=monospace><b><br>&lt;cfparam name=&quot;action&quot; default=&quot;&quot;&gt;<br>&lt;html&gt;<br>&lt;head&gt;&lt;title&gt;Login&lt;/title&gt;&lt;/head&gt;<br>&lt;body&gt;<br>&lt;cfif action is &quot;login&quot;&gt;<br>&nbsp;&lt;cfquery name=&quot;checklogin&quot; datasource=&quot;mydb&quot;&gt;<br>&nbsp;&nbsp;select * from members<br>&nbsp;&nbsp;where username='#username#' and password='#password#'<br>&nbsp;&lt;/cfquery&gt;<br>&nbsp;&lt;cfif checklogin.recordcount&gt;<br>&nbsp;&nbsp;&lt;cfset session.logged=1&gt;<br>&nbsp;&nbsp;&lt;cfset session.username=form.username&gt;<br>&nbsp;&nbsp;&lt;cflocation url=&quot;homepage.cfm&quot; addtoken=&quot;yes&quot;&gt;<br>&nbsp;&lt;cfelse&gt;<br>&nbsp;&nbsp;We do not have a member with the information you provided.&lt;br&gt;<br>&nbsp;&nbsp;Please try again.<br>&nbsp;&lt;/cfif&gt;<br>&lt;/cfif&gt;<br><br>&lt;form action=&quot;login.cfm&quot; method=&quot;post&quot;&gt;<br>&nbsp;User Name&lt;input type=&quot;text&quot; name=&quot;username&quot;&gt;<br>&nbsp;Password&lt;input type=&quot;password&quot; name=&quot;password&quot;&gt;<br>&nbsp;&lt;input type=&quot;hidden&quot; name=&quot;action&quot; value=&quot;login&quot;&gt;<br>&nbsp;&lt;input type=&quot;submit&quot; value=&quot;Log In&quot;&gt;<br>&lt;/form&gt;<br><br>&lt;/body&gt;<br>&lt;/html&gt;<br></b></font><br>In order for your application to remember the login, you must either use cookies (not everyone has cookies turned on, so be careful with this) with SETCLIENTCOOKIES=&quot;yes&quot; in the cfapplication tag, or put &quot;?cfid=#cfid#&cftoken=#cftoken# at the end of all the links in all your pages...&nbsp;&nbsp;(remember to keep these surrounded by &lt;cfoutput&gt;&lt;/cfoutput&gt;..<br><br>At the beginning of all your password protected pages, put<br><FONT FACE=monospace><b><br>&lt;cfif not isdefined(&quot;session.logged&quot&gt;<br>&nbsp;&lt;cflocation url=&quot;login.cfm&quot;&gt;<br>&lt;/cfif&gt;<br></b></font><br>This will check to see if the user has logged in.&nbsp;&nbsp;If not, it'll redirect him to the log in page... <br><br>Hope this helps....

 

[Aleksander]

This looks great<br>Thanks DarkMan

 

[philcha]

Aleksander,

I,m sorry to disagree with Dark Man, whose advice is usually very good.

But putting login info in URLs is a bad idea, as an article in one of Allaire's tech forums explained a few months ago:
* if users save the page or bookmark it, they can evade you login procedure.
* then if they start passing the URL to their friends, you have a real problem.
* the author of the article I mentioned said his company's site put login info in URLs and it cost them money (lost revenue, I think).

You have 2 valid choices:
* keep login info in Session variables. As Dark Man says, you need to enable Session variables in your <CFAPPLICATION> tag. This is fine provided the site does not use clustered servers. Session variables are no good on clustered servers because the user might login on server A but the find himself talking to server B (e.g. if server A goes down). Server B won't know the logon info because it was in server A's memory.
* the solution for clustered servers is complicated and I suggest you read the article by Marc Funaro at

http://www.advantex.net/ColdFusion/CFClustering.htm

Fortunately it seems few sites use or plan to use clustered servers (but that was a few months ago - a long time on the Web). Check before committing yourself.

 

[DarkMan]

philcha,

I didn't say to put login info in the url, only the CFID and CFTOKEN, which you need to pass through to keep the session variables alive. (The application checks for #session.logged# (which is a 1 or a 0, not a username or password) to verify that the session is still alive, then uses other session variables containing any necessary info.

I normally keep the login info in a session variable. Once the session times out, or the session.logged variable changes, you'd still need to log in, even if you bookmarked any of the pages... Also, as with most of my examples, the above application is just a bare-bones sample of how to put a login together. Real-world applications should have error checking and usually would have much more complicated login procedures (I normally check for any user information I'll need during the session and write that stuff to session variables too to minimize further database calls.)

Sorry if there was any confusion in my previous post concerning this...

DM