login loop - are session vars cookies or not? 1

[megan123]

Hi I am brand new to coldfusion and trying to create a login that is not authenticated by looking up a username and password - I mean the user logs in with whatever login name they want and are sent to the app but if they try to go to the app without LoggedIn = True, then they are sent back to the mainlogin.cfm page. The problem is that a user can never login - they just loop around - I found out that you cannot use cflocation with cookies and thought session vars are cookies, but a programmer on a mailing list insists session vars are NOT cookies but when I look here - some helpers say they are.

Anyway can someone look at my code and see where I am going wrong - I have tried and tried to fix this (including replacing cflocation with javascript) but still have the same problem.

here is the application.cfm code:

<CFSETTING ENABLECFOUTPUTONLY=&quot;Yes&quot;>
<CFAPPLICATION NAME=&quot;myapp&quot; CLIENTMANAGEMENT=&quot;Yes&quot;
SESSIONMANAGEMENT=&quot;Yes&quot; SETCLIENTCOOKIES=&quot;Yes&quot;
SESSIONTIMEOUT=&quot;#CreateTimeSpan(0, 0, 30, 0)#&quot;
APPLICATIONTIMEOUT=&quot;#CreateTimeSpan(0, 0, 30, 0)#&quot;
CLIENTSTORAGE=&quot;Registry&quot;>

<!--- Set the default session state to false so by default,
users are NOT logged into the application --->
<CFLOCK SCOPE=&quot;Session&quot; TYPE=&quot;Exclusive&quot; TIMEOUT=&quot;10&quot;>
<CFIF NOT IsDefined(&quot;Session.LoggedIn&quot>
<CFPARAM NAME=&quot;Session.LoggedIn&quot; DEFAULT=&quot;False&quot;>
</CFIF>
</CFLOCK>

<!--- if the user isn't logged in or they aren't currently on the login
page, send them to the login page --->
<CFLOCK SCOPE=&quot;Session&quot; TYPE=&quot;ReadOnly&quot; TIMEOUT=&quot;10&quot;>
<CFIF Not FindNoCase(&quot;mainlogin.cfm&quot;, CGI.SCRIPT_NAME)AND Not FindNoCase(&quot;makeuser1.cfm&quot;, CGI.SCRIPT_NAME)>
<CFLOCATION URL=&quot;mainlogin.cfm&quot; ADDTOKEN=&quot;No&quot;>
</CFIF>
</CFLOCK>

<!--- Reset the CFID and CFToken cookies to expire session and client
variables after the user's browser closes --->
<CFIF IsDefined(&quot;Cookie.CFID&quot AND IsDefined(&quot;Cookie.CFToken&quot>
<CFCOOKIE NAME=&quot;CFID&quot; VALUE=&quot;#Cookie.CFID#&quot;>
<CFCOOKIE NAME=&quot;CFToken&quot; VALUE=&quot;#Cookie.CFToken#&quot;>
</CFIF>

<!--- check to see if the application has been initialized. If not,
set the necessary application variables and initialize the app
<CFLOCK SCOPE=&quot;Application&quot; TYPE=&quot;Exclusive&quot; TIMEOUT=&quot;10&quot;>
<CFIF NOT IsDefined('Application.Initialized')>
<CFSET Application.DSN = &quot;chat1&quot;>
<CFSET Application.AdminEmail = &quot;email@email.com&quot;>
<!--- Set the application.initialized variable to true so that this
block of code does not execute every time the Application.cfm
file is called --->
<CFSET Application.Initialized = TRUE>
</CFIF>
</CFLOCK>--->
<CFSETTING ENABLECFOUTPUTONLY=&quot;No&quot;>

here is the mainlogin.cfm code & form:

<cfif #parameterexists(client.user)# is &quot;no&quot;>
<cfset client.user = &quot;anonymous&quot;>
<cfset client.usercolor = &quot;red&quot;>
</cfif>

<form action=&quot;makeuser1.cfm&quot;>

<font face=&quot;verdana, arial&quot; size=&quot;2&quot;><b>Your Current login is: </b></font>
<br><input type=&quot;text&quot; name=&quot;user&quot; size=25 value=&quot;<cfoutput>#client.user#</cfoutput>&quot;>
  
<select name=&quot;usercolor&quot;>
<option value=&quot;<cfoutput>#client.usercolor#</cfoutput>&quot; selected>select color
<option value=&quot;black&quot;> black
<option value=&quot;crimson&quot;> scarlet
<option value=&quot;goldenrod&quot;> gold
<option value=&quot;cornflowerblue&quot;> blue
<option value=&quot;teal&quot;> navy
<option value=&quot;deeppink&quot;> pink
<option value=&quot;darkmagenta&quot;> purple
<option value=&quot;limegreen&quot;> green
<option value=&quot;darkgreen&quot;> dark green
<option value=&quot;teal&quot;> teal
</select></td></tr><td width=&quot;25%&quot;> </td>

<td valign=&quot;top&quot; nowrap> <font face=&quot;verdana, arial&quot; size=&quot;2&quot; color=&quot;aqua&quot;><b>You
may change login above</b></font><br>
<font face = verdana, arial, size=&quot;2&quot;> (one word, no spaces)</font>
<font face=&quot;verdana, arial&quot; size=&quot;2&quot;><b>or keep it.</b></font> <br>
</td>
<td valign=&quot;bottom&quot; align=&quot;left&quot;>
<input type=&quot;submit&quot; value=&quot;login&quot; name=&quot;submit&quot;>
</td>
<td width=&quot;25%&quot;> </td>
</tr></table></form>


here is the makeuser1.cfm code:

<!--- set Session.LoggedIn to True, logging the user in --->
<CFSET session.LoggedIn=&quot;TRUE&quot;>

<CFLOCK TIMEOUT=&quot;30&quot; THROWONTIMEOUT=&quot;No&quot; TYPE=&quot;EXCLUSIVE&quot; SCOPE=&quot;SESSION&quot;>
<CFIF #IsDefined(user)#>
<CFSET client.user = #user#>
<CFSET client.usercolor = &quot;#usercolor#&quot;>
</CFIF>

</CFLOCK>


<SCRIPT LANGUAGE=&quot;JavaScript&quot;>
<!--
location.replace(&quot;myapp.cfm&quot;
//-->
</SCRIPT>

I hope someone will take pity and see if they can see what is wrong - I just cannot find it ~ Thanks, megan

 

[Silvano]

session variable is associated with a single client but persist only during a particular client session; it starts when a client makes a first template request, and last until whatever time specified in the coldfusion server (default is 20 min), after he had made last request for a application template; session variables are defined by the CFID and CFTOKEN cookies; and application name provided in the cfapplication tag;
here is how it works: when a user connects to an application with session management enabled, ColdFusion determines whether the CFID and CFTOKEN cookies exist. if they do, then these variables are also set in the sever's RAM, and all session variables are available for use to that client. if not, then ColdFusion sets new CFID and CFTOKEN for that client in the both the server's RAM and with the client (using cookies) - in other words, ColdFusion did not recognize client as existing one.

therefore, if the client does not have cookies enabled, the ColdFusion is not able to recognize the request that is being made by an existing client. one solution to avoid that conflict is to pass URLToken variable from template to template with every link on the page;

so, here is your answer: session variables are NOT cookies, but need cookies in order to work properly...
Sylvano
dsylvano@hotmail.com

 

[megan123]

OK Thanks - that answers the first half of my question and jives with what the first person told me and makes sense, however I am still unable to find what is wrong with my code and why I keep I keep looping around instead of being able to log in - it seems that Session.LoggedIn never gets set to &quot;True&quot; - any suggestions? Thanks, Megan

 

[tleish]

The login check script is only checking if the user isn't on one of the login pages, it's missing the check to see if the user is logged in:

[COLOR=666666]<!--- if the user isn't logged in or they aren't currently
on the login page, send them to the login page --->[/color]
<CFLOCK SCOPE=&quot;Session&quot; TYPE=&quot;ReadOnly&quot; TIMEOUT=&quot;10&quot;>
<CFIF NOT Session.LoggedIn
AND Not FindNoCase(&quot;mainlogin.cfm&quot;, CGI.SCRIPT_NAME)
AND Not FindNoCase(&quot;makeuser1.cfm&quot;, CGI.SCRIPT_NAME)>
<CFLOCATION URL=&quot;mainlogin.cfm&quot; ADDTOKEN=&quot;No&quot;>
</CFIF>
</CFLOCK> - tleish

 

[megan123]

Thank You! Thank you! Thank you! - this is truly a case of not being able to see the problem because of being too close to it - I doubt I would have ever found it by myself - you have totally made my day!!! ~Megan