Protecting a requested page, NEED HELP!!! 1

[SteelDragon]

Ok, I have my application.cfm setup, and everything is working, what I want to know is how do I remove the code below, and have it send the user to the URL they originally requested, either via link, or just typing in. As it currently stands, when the user logs in, no matter what link they choose, or what URL they type, they are sent to my search page.... I know why this is happening (cause it's hard coded) I just need to know how to correct it.

------Begin Code------

<!-- This is the section I need to fix -->
<CFIF SESSION.LOGGEDIN>

<SCRIPT LANGUAGE=&quot;JavaScript&quot;>
self.location ='support_search.cfm';
</SCRIPT>

<!-- If not we transfer the user to the login page -->
<CFELSE>
<CFOUTPUT>
<SCRIPT>
alert(&quot;Sorry! Your login was unsuccessful because #Reason#&quot;
self.location=&quot;login.cfm&quot;;
</SCRIPT>
</CFOUTPUT>

</CFIF>

 

[GunJack]

Hey Steel,

Before you re-direct to the login page, set a session variable such as session.url to the page they intended to go to (<cfset session.url=&quot;myPage.cfm&quot;>). On the page you're looking to fix, I think that replacing

<SCRIPT LANGUAGE=&quot;JavaScript&quot;>
self.location ='support_search.cfm';
</SCRIPT>

with <cflocation url=#session.url#> will do what you want.

Let me know if this doesn't work for you,
GJ

 

[iqof188]

Put your code like this in your application.cfm:

<CFIF NOT SESSION.LOGGEDIN AND GetFileFromPath(GetCurrentTemplatePath) NOT IS &quot;login.cfm&quot;>
<CFOUTPUT>
<SCRIPT>
alert(&quot;Sorry! Your login was unsuccessful because #Reason#&quot;
self.location=&quot;login.cfm&quot;;
</SCRIPT>
</CFOUTPUT>

</CFIF>

The only thing you want to catch is if a user is not logged in. If this is the case, you have to redirect then to login.cfm. If the user is logged in, it's okay and the requested page will be processed.
I've included this line: AND GetFileFromPath(GetCurrentTemplatePath) NOT IS &quot;login.cfm&quot; because if you don't include this line you will get stuck in a loop.
Good luck, hope this helps...




<webguru>iqof188</webguru>

 

[SteelDragon]

GJ,
I understand what you are trying to say, but I want it to pick up the requested URL, as the user will almost never be going to the same location... I have 3 pages that are protected by this application.cfm, and I want the user to go to whichever they selected once they have logged in.... if they are not logged in currently.

iqof188,
i also tried your method, and I got various errors from CF about how things were not setup correctly (sytax errors) I'll post my entire page so you both can see how it works.


-----Begin Code----- Results.cfm (application.cfm's action file)
<CFSET SESSION.LOGGEDIN = FALSE>

<CFQUERY NAME=&quot;CheckUser&quot; DATASOURCE=&quot;support&quot; username=&quot;search&quot;>
SELECT WebUserID, WebPassword
FROM Person
WHERE WebUserID = '#Form.WebUserID#' and WebUSER = '-1'
</CFQUERY>

<!-- Is the user present in the database? -->
<CFIF CHECKUSER.RECORDCOUNT GREATER THAN 0>

<!--- Passwords are not case-sensitive in this application (use Compare() if you want to enable case sensitivity) --->
<CFIF CHECKUSER.WebPASSWORD IS FORM.WebPASSWORD>

<!-- Does the application structure exist? If not, create one -->
<CFIF #ISDEFINED(&quot;application.UsersLoggedin&quot# IS FALSE>
<CFSET APPLICATION.USERSLOGGEDIN=STRUCTNEW()>
</CFIF>

<CFSET USERIDATDOOR = CHECKUSER.WebUSERID>
<!-- Is there a user already using this login? -->
<CFIF #STRUCTKEYEXISTS(APPLICATION.USERSLOGGEDIN, USERIDATDOOR)# IS TRUE>
<!-- If so, we check if the session is 'virtually' timed out -->
<CFSET ENDTIME = #APPLICATION.USERSLOGGEDIN[USERIDATDOOR].TIMECREATED# + #APPTIMESPAN#>
<CFIF #DATECOMPARE(&quot;#Now()#&quot;, &quot;#EndTime#&quot# IS 1>
<!-- If the application variable is timed out then we delete the user from the structure, to leave some room for the new user -->
<CFOUTPUT>
<CFSCRIPT>
StructDelete(application.UsersLoggedin, #CheckUser.WebUserID#, true);
</CFSCRIPT>
</CFOUTPUT>

<!-- These Session variables are used to control the login validity through the application using the application.cfm -->
<CFSET SESSION.LOGGEDIN = TRUE>
<CFSET SESSION.USERID = CHECKUSER.WebUSERID>

<!-- We then add the current user session structure to the Application structure -->
<CFSET APPLICATION.USERSLOGGEDIN[&quot;#session.UserID#&quot;] = SESSION>
<!-- We add a time stamp to determinate the approximate timeout in case of an unexpected departure of the user -->
<CFSET APPLICATION.USERSLOGGEDIN[&quot;#Session.UserID#&quot;].TIMECREATED = NOW()>

<CFELSE>
<!-- If the session of the user currently logged in is not over, we display a message -->
<CFOUTPUT>
<CFIF #DATEDIFF(&quot;n&quot;, &quot;#Now()#&quot;, &quot;#EndTime#&quot# LT 1>
<CFSET MINUTESLEFT = 'LESS THAN ONE'>
<CFELSE>
<CFSET MINUTESLEFT = #DATEDIFF(&quot;n&quot;, &quot;#Now()#&quot;, &quot;#EndTime#&quot#>
</CFIF>
<CFSET REASON = &quot;: \n\n1- User #CheckUser.WebUserID# is already logged in;OR\n2- You have terminated your last session abnormally (e.g., your computer crashed).\n\nThis account will be unlocked #MinutesLeft# minute(s) from now.&quot;>
</CFOUTPUT>
</CFIF>

<!-- if we don't detect any user already logged in with the same login, we give the user access to the application -->
<CFELSE>
<!-- These Session variables are used to control the login validity through the application using the application.cfm -->
<CFSET SESSION.LOGGEDIN = TRUE>
<CFSET SESSION.USERID = CHECKUSER.WebUSERID>

<!-- We then add the current user session structure to the Application structure -->
<CFSET APPLICATION.USERSLOGGEDIN[&quot;#session.UserID#&quot;] = SESSION>
<!-- We add a time stamp to determinate the approximate timeout in case of an unexpected departure of the user -->
<CFSET APPLICATION.USERSLOGGEDIN[&quot;#Session.UserID#&quot;].TIMECREATED = NOW()>

</CFIF>

<!-- if the password was incorrect -->
<CFELSE>
<CFSET REASON = &quot;the Password you typed in is invalid. Please try again&quot;>
</CFIF>

<!-- if the username was not present in the database -->
<CFELSE>
<CFOUTPUT>
<CFSET REASON = 'the User Name #FORM.WebUSERID# could not be located.'>
</CFOUTPUT>
</CFIF>

<!-- If the user is authenticated we transfer him/her to the homepage -->
<CFIF SESSION.LOGGEDIN>

<SCRIPT LANGUAGE=&quot;JavaScript&quot;>
self.location ='support_search.cfm';
</SCRIPT>

<!-- If not we transfer the user to the login page -->
<CFELSE>
<CFOUTPUT>
<SCRIPT>
alert(&quot;Sorry! Your login was unsuccessful because #Reason#&quot;
self.location=&quot;login.cfm&quot;;
</SCRIPT>
</CFOUTPUT>

</CFIF>

 

[GunJack]

Steel,

Just use <cfset session.url = cgi.script_name> and it will set it to whichever page they requested.

GJ

 

[MarcDePoe]

A problem I have had in the past is when the user has requested a page with url variables in which case cgi.script_name doesn't cut it. If that is your problem add something like this in a javascript and pass the string #cgi.script_name# to it ...

function GetLocation(scriptParam)
{
var returnToScript=scriptParam+location.search.substring();
return returnToScript;
}

 

[GunJack]

Hey Marc,

Url variables don't cause a problem because you can check for their existence with #cgi.query_string# and just append them on like this:

<cfset session.url=&quot;#cgi.script_name#?#cgi.query_string#&quot;>

The only tricky part is if a form was submitted. You would then have to determine the form variables sent and instead of using <cflocation>, use <cfhttp> and post the variables and display the output received. There are several complications in this scheme and I usually let form data get discarded if they aren't logged in when they submit a form.

GJ

 

[MarcDePoe]

GJ,
once again you have lessened my pain
... very nice.

-Marc

 

[GunJack]

Glad I can help

GJ

 

[SteelDragon]

GJ,
That is now my new question... I AM submitting a form... so now what?
SteelDragon

 

[SteelDragon]

BTW it's the login form that's giving me the issue
I get an error now, that it can't determine one of the form fields

SteelDragon

 

[GunJack]

Is your login page using the same application.cfm? If it is, I would move it to another directory with a separate application.cfm so the re-direct doesn't affect it.

I assume you are using the application.cfm to check to see if they are logged in, if not, set their current location, re-direct to the login form, authenticate them on the login page, and finally re-direct them back to the original page from the login section.

Let me know if this isn't how your logic works as I'm basing my suggestions on this.

GJ

 

[SteelDragon]

GJ,
That is exactly what I am trying to do, and I'm not sure what you mean &quot;move to a different directory&quot; Why is that necessary, and If I moved the login page and application.cfm, How would I set it up so that the user logs in and can navigate to any of the protected pages under their session? I thought 2 directories = 2 different security logins? Am I totally wrong, or do we pass the login variables to the other directory?

Thanks,
SteelDragon

 

[GunJack]

Hey Steel,

Usually when I code this type of functionality, I put a section if the application.cfm file that checks to see if they're logged in. If they aren't, I set their current page location through cgi.script_name (and optionally query_string) and then re-direct them to the login page. If the login page uses this same application.cfm file, when the re-direct occurs, the login page runs but the application.cfm file again is run and again checks to see if they are logged in since this is a new page request. When this happens, they are still not logged in and it tries to re-direct them to the login page, this will cause an infinite loop since they will never get the chance to login. As IQ points out, you can put code in your login check to only re-direct if the current page isn't &quot;login.cfm&quot; or whatever you call it. I prefer not to do this because if you ever re-name your login page, you have to remember to change this. It's not a big deal but just one of my little personal preferences. I therefore put my login pages in a separate directory with an application.cfm file that is the same minus the login check section. I'm not sure what you mean about 2 directories causing 2 security logins. If you are using your own security model (not using CF's cfauthenticate), then the session info will be the same as long as both application.cfm files have the same <cfapplication> tag.

Let me know if this doesn't make sense,
GJ

 

[SteelDragon]

GJ,
Ok, somewhere about 3 or 4 posts ago, we must have went separate directions with this.... Here is what I have right now... I request a page... Login form comes up, I log in, I go to a page... But it's the same page no matter what my request is. My security model is working fine(as far as I can tell) I just need to get it to serv the requested page and not the same doggone page everytime I log in. I have changed code, recoded, used cgi_Scriptname, and I still don't seem to get this thing to just do the simple task of... I request page A, give me page A after I log in... Stop sending me to page B everytime. It's the same thing no matter what page I request, when I added the stuff you and IQ posted, I either got an error, or I got a nice white blank page of nothing. So I reverted back to my original, where to go from here? I'm pulling my hair out... this is simple it shouldn't be rocket science to get this to work... Should it??

Thanks,
SteelDragon

 

[GunJack]

Steel,

On your login page, do a <cfoutput>#session.url#</cfoutput> and see what the return location is being set to. It sounds like the requested page (cgi.script_name) isn't getting set correctly and is getting lost on the way to the login page.

GJ

 

[SteelDragon]

GJ,

Ok Lets revisit this one last time... I HOPE. I am getting the login.cfm page in the CGI.Sript_Name results, Where can I set the session variable for CGI.Sript_Name, so that it captures the link the person is clicking? The page with the links on them is .htm, and as such will not run CF tags, is there another way to capture the link URL that the person clicked on? I cannot change the Linking page to CFM, and I cannot move it to another directory, Anything that captures the URL from the link the user clicked, that I can use to direct the user once authenticated is what I need. Does this make any sence? I'm bashing my head in on this... it's the only thing left in this project.... PLEASE HELP I'm totally lost and out of ideas.

Thanks,
SteelDragon

 

[GunJack]

Hey Steel,

The page containing the links doesn't have to be a .cfm page but the pages that the link points to do have to be. If page1.htm has a link to page2.cfm, at the top of page2.cfm, do this.

<!--- At very top of page, put the code you use to tell if they are logged in --->

<cfif session.loggedIn neq &quot;true&quot;>

<!--- They're not logged in, set session.url and send them to the login page --->
<cfset session.url=&quot;#cgi.script_name#&quot;>
<cffif cgi.query_string neq &quot;&quot;>
<cfset sessin.url = &quot;#session.url#?#cgi.query_string#&quot;>
</cfif>
<cflocation url=&quot;login/login.cfm&quot;>
</cfif>

<!--- If they get past the first <cfif>, we know they are logged in and have --->
<!--- permission to see this page --->

I may have misspelled the cgi environment variables but other than that, I think this will do what you want.

If not, we'll go to round 12
GJ