Security Question

[Ccode]

I am having problems with the application-based security. I am fairly new to cold fusion. What I would like is if the user goes to the home page then a Login Page appears. Also, if the user tries to bypass the homepage i want to redirect it to the homepage. Currently, if a user goes to the homepage and login's in there are no problems, the problem arises when the user tries to bypass the homepage.

Here is my application.cfm page:

<cfapplication name=&quot;Index&quot;
sessionmanagement=&quot;Yes&quot;>

<cfif not IsDefined(&quot;session.Auth.IsLoggedIn&quot>
<cfinclude template=&quot;SecurityTest2.cfm&quot;>
<cfabort>
</cfif>


This snippet of code is on a page other than the homepage

<cfif not isDefined(&quot;SESSION.Auth.IsLoggedIn&quot>
<cfinclude template=&quot;SecurityTest2.cfm&quot;>
<cfabort>
</cfif>

My directory structure has Home (which has the cfapplication page, and all the security test pages) then we have directories under the home directory.

The main problem is when the user tries to bypass the homepage if will redirect then to the login page but it looks at the directory down (not at the home directory).

I hope this makes sense.
Thanks in advance.

 

[Guest_imported]

First: Have you tried using absolute URLs in your INCLUDEs? I.e, try using this in application.cfm:

<cfset homepage_url = &quot;/path_to_home_directory&quot;>

<cfif not isDefined(&quot;SESSION.Auth.IsLoggedIn&quot>
<cfinclude template=&quot;#homepage_url#/SecurityTest2.cfm&quot;>
<cfabort>
</cfif>

Secondly: You should not need to put the same code in the other &quot;non-homepage&quot; templates (as you are doing) because there is an implicit <CFINCLUDE template=&quot;application.cfm&quot;> in every page. This is true unless you have another application.cfm in another directory.

 

[pigsie]

A couple of points:

First lock all shared scope variables (ie application/session).

Second you will need to use a mapping if you want to include
templates in other folders. Define the mapping in the coldfusion administrator e.g.

if
c://somefolder/mywebroot/ is where the file you wish to include is,

you would set /mymapping

to c://somefolder/mywebroot/
then include templates like this:
<cfinclude template=&quot;/mymapping/myfile.cfm&quot; >

Without specifying a path it will only look in the current directory.
HTH

 

[MorganGreylock]

One other thing you might consider, if you have a site where only some pages require a login (like if you have a 'guest' part of it or something), instead of checking for security in the application.cfm file, make a security.cfm file (or the like) that checks the session.auth.isloggedin value, and then include that in pages where you require a login.

Example:
members_home.cfm:
<cfinclude template=&quot;security.cfm&quot;>
<!--- Makes user login to get to this page --->

The other thing to keep in mind as well, if you put the session.auth.isloggedin check in the application.cfm file, then you have to consider the fact that 1) the login page won't pass that test, since they haven't logged in yet (which is okay, since you're directing them there anyway), however if you go to a separate page (like check_login.cfm) to check for a login, then that page will fail as well, since at the start of that page (when application.cfm gets included), you will still not be logged in.

In other words, unless you have the user login and check the login credentials on the same page (login.cfm for example), you will have to do something like this:

<cfif script_name neq &quot;check_login.cfm&quot;>
<cfif not isdefined(&quot;session.auth.isloggedin&quot>
<cflocation = ......
</cfif>
</cfif>

I had to do that on one project, but later removed it in favor of the security.cfm (or whatever you want to call it) method.

Hope that helps.

MG

 

[simmerdown]

MG, any other disadvantages to the security.cfm method (besides having to add that include to many many pages)?