Make a variable available once a person is logged in 1

[rmz8]

How do I make a variable available throughout an entire site once a person is logged in. For example, throughout the site, the UserName and Password values are used constantly to validate a user and in queries. However, right now I am passing the UserName and Password variables as URL parameters. This means that a user's Password is viewable. Is there anyone I can make it so that once a user has logged in with a UserName and Password, those variables will be created with the values they entered and I can reference to them. Can I use Application.cfm? I thought about passing them as hidden form values, but this is tough. Here is my login code (you can see how the UserName and Password form values are passed through the URL--and how every template references to those URL values--is there any way to conceal them or reference to them globally?):

==============================================

<html>
<head>
<title>ZEAL network's GATSBY: Login</title>
<meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=iso-8859-1&quot;>
<script language=&quot;JavaScript&quot;>
<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features);
}
//-->
</script>
</head>

<body bgcolor=&quot;#FFFFFF&quot;>
<cfif isDefined(&quot;Form.UserName&quot>
<cfset TimeOut = &quot;#Now()#&quot;>
<cfquery datasource=&quot;LHS&quot; name=&quot;Check&quot;>
SELECT * FROM users WHERE UserName = '#Form.UserName#' AND Password = '#Form.Password#'
</cfquery>
<cfif #Check.RecordCount# IS 0>
<!--- If we have an invalid request --->
<cfinclude template=&quot;includes/header.html&quot;>
<H4><FONT FACE=&quot;Arial, Helvetica, sans-serif&quot;>Sorry, the UserName and/or Password
combination you have entered is not correct. Please <A HREF=&quot;javascript:history.go(-1)&quot;>go
back and try again</A> or <A HREF=&quot;tools/send_password/index.cfm&quot;>have your
password e-mailed to you</A>.</FONT></H4>
<cfinclude template=&quot;includes/footer.html&quot;>
<cfelse>
<!--- Or there must have at least one match --->
<cfset Session.Auth = &quot;Yes&quot;>
<cfset Session.Admin = &quot;Form.UserName&quot;>
<cflocation url=&quot;index.cfm?UserName=#Form.UserName#&amp;Password=#Form.Password#&quot; addtoken=&quot;Yes&quot;>
</cfif>
<cfelse>
<font face=&quot;arial&quot;>
<cfinclude template=&quot;includes/header.html&quot;>
<H2>
<u>Login</u></H2></font>
<font face=&quot;arial&quot;><FONT SIZE=&quot;2&quot;><B>TIP:</B><I> Throughout GATSBY you will see
small question marks next to some options. Click them for specific help at any
time.</I></FONT></font><font face=&quot;arial&quot;><cfoutput> <font size=&quot;2&quot;>
<cfform method=&quot;post&quot; action=&quot;login.cfm&quot;>
</cfform>
</font></cfoutput><cfoutput><font size=&quot;2&quot;>
<cfform method=&quot;post&quot; action=&quot;login.cfm&quot;>
<TABLE BORDER=&quot;0&quot; WIDTH=&quot;50&quot;>
<TR>
<TD HEIGHT=&quot;2&quot; WIDTH=&quot;11&quot;><I><B><FONT SIZE=&quot;2&quot; FACE=&quot;Arial, Helvetica, sans-serif&quot;><A HREF=&quot;##&quot; onClick=&quot;MM_openBrWindow('help/username.html','','scrollbars=yes,width=200,height=200')&quot;>?</A></FONT></B></I></TD>
<TD HEIGHT=&quot;2&quot; WIDTH=&quot;69&quot;><B><FONT FACE=&quot;Arial, Helvetica, sans-serif&quot; SIZE=&quot;2&quot;>UserName:</FONT></B></TD>
<TD HEIGHT=&quot;2&quot; WIDTH=&quot;16&quot;>
<cfinput type=&quot;text&quot; name=&quot;UserName&quot; REQUIRED=&quot;Yes&quot; MESSAGE=&quot;A UserName is required.&quot;>
</TD>
</TR>
<TR>
<TD HEIGHT=&quot;22&quot; WIDTH=&quot;11&quot;><I><B><FONT SIZE=&quot;2&quot; FACE=&quot;Arial, Helvetica, sans-serif&quot;><A HREF=&quot;##&quot; onClick=&quot;MM_openBrWindow('help/password.html','','scrollbars=yes,width=200,height=200')&quot;>?</A></FONT></B></I></TD>
<TD HEIGHT=&quot;22&quot; WIDTH=&quot;69&quot;><B><FONT FACE=&quot;Arial, Helvetica, sans-serif&quot; SIZE=&quot;2&quot;>Password:</FONT></B></TD>
<TD HEIGHT=&quot;22&quot; WIDTH=&quot;16&quot;>
<cfinput type=&quot;Password&quot; name=&quot;Password&quot; REQUIRED=&quot;Yes&quot; MESSAGE=&quot;A Password is required.&quot;>
</TD>
</TR>
<TR>
<TD HEIGHT=&quot;22&quot; COLSPAN=&quot;3&quot;>
<INPUT TYPE=&quot;submit&quot; VALUE=&quot;Login&quot; NAME=&quot;submit&quot;>
</TD>
</TR>
</TABLE>
<FONT FACE=&quot;Arial, Helvetica, sans-serif&quot; SIZE=&quot;2&quot;><a href=&quot;tools/update_password/index.cfm&quot;>Click
here to change your GATSBY Password.</a><br>
<a href=&quot;tools/send_password/index.cfm&quot;>Forgot your Password? Use GATSBY's
Password retrieval tool!</a></FONT>
</cfform>
<cfinclude template=&quot;includes/footer.html&quot;>
</font> </cfoutput> </font>
</cfif>
</body>
</html>

==============================================

Happy Holidays! Thanks in advance.

Ryan ;-]

 

[KevinFSI]

Session Variables should be the way to go. Kevin
slanek@ssd.fsi.com

 

[rmz8]

Would you be able to elaborate a little bit? I have tokens enabled and session mangement on. Here is the contents of Application.cfm:

=====================================

<!--Set client management and application scope variables -->
<CFAPPLICATION NAME=&quot;Security_Test&quot; CLIENTMANAGEMENT=&quot;YES&quot; SESSIONMANAGEMENT=&quot;YES&quot; SESSIONTIMEOUT=#CreateTimespan(0,0,30,0)#>

=====================================

Ryan ;-]

 

[KevinFSI]

We do much the same thing here. Once a person is logged in we take their username and password from the form fields and set them as session variables.

<CFSET session.user = #FORM.username#>
<CFSET session.pword = #FORM.password#>

Then in the queries, we say something like:

...WHERE user = #session.username# AND password = #session.pword#

That is a simplified version, but that's basically how we do it. Kevin
slanek@ssd.fsi.com

 

[rmz8]

Do you only have to set the session variables once? For example, someone logs in and the session variables are set as you stated in the previous post. Can I reference to those variables throughout my application even though I only defined them in the one page that followed the login? Also, does CFTOKEN have to be appended to every URL? Otherwise, how would the person be identified and the correct UserName and Password used?

Thanks so much Kevin!

Ryan ;-]

 

[KevinFSI]

Yes, they can be referenced throughout. You will have to bounce their username and password against your database for authentication. Once they are verified, then set the session variables. You can set the session variables to expire in your CFAPPLICATION.

<CFAPPLICATION SESSIONMANAGEMENT=&quot;Yes&quot; SESSIONTIMEOUT=#CreateTimeSpan(days, hours, minutes, seconds)#>

Or you can leave it to the default value which is set in the &quot;Variables&quot; page of CF Administrator. Kevin
slanek@ssd.fsi.com

 

[rmz8]

What does adding the TOKEN do? Do I need to do it?

Ryan ;-]

 

[KevinFSI]

Tokens are unique identifiers for the user's session. You do not have to add them since the ADDTOKEN default is yes. If you say ADDTOKEN=&quot;No&quot; in your CFLOCATION tag, your session variables will not be carried (I think that's how it works.) Like I said, the default is yes. Kevin
slanek@ssd.fsi.com

 

[rmz8]

Thanks! It works great and is now more secure than ever.

Ryan ;-]

 

[KevinFSI]

Cool. So glad I could help you out. Kevin
slanek@ssd.fsi.com

 

[rmz8]

Mike,

I'm so sorry to keep this thread going, but is there anyway to &quot;undefine&quot; a variable. In other words, someone is granted access to a specific page if Session.UN and Session.PWord are defined. But what if they want to log out? How can these variables be &quot;undefined,&quot; or expired?

Ryan ;-]

 

[rmz8]

Woops! Sorry about that, KEVIN! My usual CF guru is a guy named Mike from Texas, sorry for the mix-up.

Ryan ;-]

 

[KevinFSI]

I guess you could have a button that serves as a logout button. Once the button is clicked, it could set session.username and session.pword to null or &quot;&quot;. That way, when the next user tries to access your queries, the query will not be able to bounce their username and password against the database like we talked about earlier. Kevin
slanek@ssd.fsi.com

 

[rmz8]

&quot;&quot; is still defined, though, the value is simply nothing. So this doesn't work.

Ryan ;-]

 

[iza]

you can't UNdefine a session variable, but after a while it dies. To set the delay before the session variables expire, it is either in the cf admin or in the cfapplication tag - as you wish !

 

[KevinFSI]

Iza's right. Also, what I meant by setting the session variable to an empty string (or some other bogus value) upon &quot;logout&quot; is this:

Say you're finished surfing your site and you want to log out. If you hit the logout button and change your session variables from legitimate values to bogus values, your queries should error out. Earlier in the thread I said you could add the WHERE statement in your queries that says

...WHERE user = #session.username# AND password = #session.pword#

Well, once you &quot;logout&quot; that query won't run because &quot;&quot; and &quot;&quot; won't be valid. If that's the case then throw a <CFLOCATION> tag in there to kick your user to the login screen. Once they log in, the session variables will be changed to their username and password and everything will continue to work fine.

It's kind of a sloppy way of verifying your user throughout your site. Hope this is a little clearer. Didn't mean to bail out on ya yesterday, but I live in Oklahoma and the ice storm put a halt to our workday.

Kevin
slanek@ssd.fsi.com

 

[iza]

&quot;but I live in Oklahoma and the ice storm put a halt to our workday.&quot; ---> new technologies LOL

 

[KevinFSI]

Yeah. We weren't complaining though. Leave at noon and get paid for the rest of the day. That's a bargain! Kevin
slanek@ssd.fsi.com

 

[iza]

yes, but removing the snow IS a pain ! as well as trying to walk on ice !! and there's no routine or anything there we can call to work for us ;-)

 

[KevinFSI]

Indeed. I just moved into a new house in Nov. and I now have my first garage. I'm loving it! No snow or ice to scrape off the windows in the mornings. I did, however, slip, fall, and slide about 9 feet down my driveway this morning. Very graceful!

Ryan, haven't heard from you. Did everything work out? Kevin
slanek@ssd.fsi.com