EasyCFM.COM ColdFusion Forums / ColdFusion Applications / Secure Login Application Problems

   Reply to Discussion | New Discussion << previous || next >> 
Posted By Discussion Topic: Secure Login Application Problems

book mark this topic Printer-friendly Version  send this discussion to a friend  new posts last

CFChels
11-20-2006 @ 12:15 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
New Member
Posts: 8
Joined: Nov 2006

Hello!
This is my first post on this forum. I have been assigned to create an online application where students can enter their information, click login, bring up a copy of their class schedule, click on one of the classes, be taken to an evaluation survey, complete the survey, and then the results will be inserted back in the DB.....So far, I've have nothing but problems.

With help from a template from Aaron West, I've attempted to create my login scripts. Yet, whenever I try to log in, nothing happens. The page gets rerouted back to the login screen as if to say, "log in again....but no variable error codes that I created show up.... here's my code...Beware, it's long



<!--- ===========================================================================
UVa-Wise Course Evaluations Version 1.603
Application.cfc
Purpose: Manages the security login features of the Course Evaluation Application.
Author: Chelsie Lawson
cml7u@uvawise.edu
Date: 11.17.2006
Initial Template Author: Aaron West (aaron@trajiklyhip.com)
******************************************************************************
=========================================================================== --->

<cfcomponent name="Application" displayname="UVaWise Course Evalautions Fall 2006">

     <cfset this.name = "course_eval">
     <cfset this.applicationTimeout = CreateTimeSpan(0,0,0,45)>
     <cfset this.sessionManagement = "true">
     <cfset this.sessionTimeout = CreateTimeSpan(0,0,0,30)>
     <cfset this.clientManagement = "false">
     
     <!---
          METHOD: onApplicationStart--->
     <cffunction name="onApplicationStart" returntype="boolean" output="true">
          <!--- Set up Application variables. Locking the Application scope is not necessary in this method. --->
          starting application
          <cfset Application.configured = 1>
          <cfset Application.datetimeConfigured = TimeFormat(Now(), "hh:mm tt") & "  " & DateFormat(Now(), "mm.dd.yyyy")>
          <cfset Application.currentSessions = 0>
          <cfreturn true>
     </cffunction>
     
     <!---
          METHOD: onSessionStart--->
     <cffunction name="onSessionStart" returntype="void">
          
     </cffunction>
     
     <!---
          METHOD: onSessionEnd--->
     <cffunction name="onSessionEnd" returntype="void">
          <cfargument name="SessionScope" required="true">
          <cfargument name="ApplicationScope" required="true">
          
          <cflock name="lck_currentSessions" throwontimeout="Yes" timeout="7" type="EXCLUSIVE">
               <!---
                    If the users session ID is still hanging around (the user is getting automatically logged out due to timeout)
                    delete the session data from the Application scope and decrement the current sessions value.
               --->
               <cfset sessionPosition = ListFind(ArrayToList(arguments.ApplicationScope.sessionData), arguments.SessionScope.sessionid)>
               <cfif sessionPosition neq 0>
                    <cfset ArrayDeleteAt(arguments.ApplicationScope.sessionData, sessionPosition)>
                    <cfset arguments.ApplicationScope.currentSessions = arguments.ApplicationScope.currentSessions - 1>
               </cfif>
          </cflock>
          <!--- <cflog file="#this.name#" type="information" text="Session ended. Number of active sessions now: #arguments.ApplicationScope.currentSessions#"> --->
     </cffunction>
     
     <!---
          METHOD: onRequestStart--->
     <cffunction name="onRequestStart" returntype="boolean">
          <!--- Set up request variables here. --->
          <cfset request.datasource = "studentsurvey">
          
          <!---
               If the username and password are defined in the FORM scope, include the authentication template so the credentials can
               be verified.
          --->
          <cfif isDefined("FORM.STD_ID_NO_UNAME") AND isDefined("FORM.PASS_PIN")>
               <cfinclude template="authenticate.cfm">
               <!--- If there are any problems with the username and/or password the request.User structure will not be created. --->
               <cfif NOT isDefined("request.User.LoggedIn")>
                    <!---
                         Redirect the user to the login page again to give them another login attempt; show the error in the login form.
                         NOTE: I do not really endorse showing users that the password for a specific username was invalid.  This tells
                         anyone attempting to login that they have found a correct username. Creating more ambigous messages like: "The
                         supplied username/password combination was invalid, please try again." is certainly more secure.
                    --->
                    <cfinclude template="login.cfm">
                    <cfabort>
               <cfelse>
                    <!--- If the login procedure is passed duplicate the request structure into the Session scope. --->
                    <cflock scope="SESSION" throwontimeout="Yes" timeout="7" type="EXCLUSIVE">
                         <cfset Session.User = Duplicate(request.User)>
                    </cflock>
                    
                    <!---
                         Write code that initializes any session variables. See tutorial for why this code is in onRequestStart and not
                         onSessionStart.
                    --->
                    <cflock name="lck_currentSessions" throwontimeout="Yes" timeout="7" type="EXCLUSIVE">
                         <!--- Increment the number of current sessions. --->
                         <cfset Application.currentSessions = Application.currentSessions + 1>
                         
                         <!--- Copy identifying session information into the Application scope. --->
                         <cfif NOT isDefined("Application.sessionData")>
                              <cfset Application.sessionData = ArrayNew(1)>
                         </cfif>
                         <cfset ArrayAppend(Application.sessionData, Session.sessionid)>
                    </cflock>
                    
                    <!--- Redirect the authenticated user to the main application page. --->
                    <cfif NOT isDefined("session.requestedPage") OR Find("authenticate.cfm", session.requestedPage)>
                         <cfset session.requestedPage = "index.cfm">
                    </cfif>
                    <cflocation url="#session.requestedPage#">
               </cfif>
          </cfif>
          
          <!--- Check to see if a user is logged in on *every* cfm page request. --->
          <cflock scope="SESSION" throwontimeout="Yes" timeout="7" type="READONLY">
               <cfif NOT isDefined("Session.User.LoggedIn")>
                    <cfinclude template="login.cfm">
                    <cfabort>
               </cfif>
          </cflock>
          
          <cfreturn true>
     </cffunction>
     
     <!---
          METHOD: onRequestEnd
          This method functions in the same way onRequestEnd.cfm did under CFMX6 (and in CFMX7 if you use it instead of Application.cfc) and
          executes just before a request ends.
          @param          NONE
          @returns          VOID
     --->
     <cffunction name="onRequestEnd" returntype="void">
          <!--- Write any code that needs to run when the page request ends. This replaces onRequestEnd.cfm --->
     </cffunction>
     
</cfcomponent>


<cfsetting enablecfoutputonly="true">
<!--- ===========================================================================
UVa-Wise Course Evaluations Version 1.603
authenticate.cfm
Purpose: Authenticate users against the Db.
Author: Chelsie Lawson
cml7u@uvawise.edu
Date: 11.17.2006
Initial Template Author: Aaron West (aaron@trajiklyhip.com)
******************************************************************************
=========================================================================== --->
<cfsetting enablecfoutputonly="false">

<!--- Check the supplied Username and Password against the database. --->
<cfquery name="qryGetStudentDetails" datasource="#request.datasource#">
     SELECT StudentID, StudentFirstName, StudentLastName,LastLogin_TS, SecurityID
     FROM Students
     WHERE StudentID = '#FORM.STD_ID_NO_UNAME#'
</cfquery>
<cfdump var="#qryGetStudentDetails#"><cfabort>

<cfif qryGetStudentDetails.RecordCount eq 0>
     <!---
          If the query recordcount is zero, the username did not exist. Send the user back to the login form
          and show the appropriate error message.
     --->
     <cfset variables.errorMessage = "The Student ID you provided, <b>" & FORM.STD_ID_NO_UNAME & "</b>, is an invalid Student ID.">
<cfelse>
     <!--- The username exists, validate the supplied password for this user. --->
     <cfset variables.hashedPassword = Hash(FORM.PASS_PIN)>
     <cfif variables.hashedPassword neq qryGetStudentDetails.SecurityID>
          <!--- If the supplied password for this user does not equal the password on record, set the error message. --->
          <cfset variables.errorMessage = "The Pin you supplied for user <b>" & FORM.STD_ID_NO_UNAME & "</b> was incorrect.">
     <cfelse>
          <!--- A valid user has authenticated with the system, perform necessary actions. --->
          
          <!--- Update the LastLogin timestamp. --->
          <cfquery name="qryUpdateLastLoginTS" datasource="#request.datasource#">
               UPDATE Users
               SET LastLogin_TS = #CreateODBCDateTime(Now())#
               WHERE ID = #qryGetStudentDetails.ID#
          </cfquery>
          
          <!---
               Create the request scope structure to hold the user data. Notice it is NOT necessary to first create the
               request.User structure with StructNew().  Simply using dot notation after the User portion will tell
               ColdFusion the variable is a structure.
          --->
          <cfset request.User.LoggedIn = "1">
          <cfset request.User.Username = FORM.STD_ID_NO_UNAME>
          <cfset request.User.FirstName = qryGetStudentDetails.StudentFirstName>
          <cfset request.User.LastName = qryGetStudentDetails.StudentLastName>
          <cfset request.User.LastLogin = qryGetStudentDetails.LastLogin_TS>
          <cfset tmpMessage = "You were last here on " & DateFormat(qryGetStudentDetails.LastLogin_TS, "mm.dd.yyyy") & " at " & TimeFormat(qryGetStudentDetails.LastLogin_TS, "hh:mm tt") & ".">
          <cfset request.User.LoginMessage = IIF(qryGetStudentDetails.LastLogin_TS neq "", "tmpMessage", DE("This is your first visit!"))>
     </cfif>
</cfif>


<cfsetting enablecfoutputonly="true">
<!--- ===========================================================================
UVa-Wise Course Evaluations Version 1.603
login.cfm
Purpose: The page where users login. If the student is not logged in, the application will autotmatically direct them to this page.
Author: Chelsie Lawson
cml7u@uvawise.edu
Date: 11.20.2006
Initial Template Author: Aaron West (aaron@trajiklyhip.com)
******************************************************************************
=========================================================================== --->
<cfsetting enablecfoutputonly="false">

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<InvalidTag http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>UVa-Wise Online Course Evaluation Portal</title>
<style type="text/css">
<!--
body {
     background-color: #CCCCCC;
}
body,td,th {
     color: #990033;
}
-->
</style></head>

<body>
<div align="center">
     <cfoutput>
     <!--- Record the page the user requested so we can redirect the user after successful login. --->
     <cfset session.requestedPage = CGI.SCRIPT_NAME>
     <cfform method="post" action="authenticate.cfm">
     <table border="0" cellpadding="0" cellspacing="0" width="100%" height="100%">
     <tr>
          <td valign="center" align="center">            <font size="5">
            <p><strong>UVaWise Online Course Evalations </strong></p>
            <p><strong>Fall 2006</strong></p></font>
               <hr>
               <p> </p>               
               <table border="1" cellpadding="0" cellspacing="0" width="500">
                    <tr>
                         <td>
                              <table border="0" cellpadding="0" cellspacing="1" width="100%">
                                   <tr bgcolor="##EAEAEA"><td colspan="2" align="center" class="default"><strong>                                     Please enter your Student ID and Pin below and click Login.</strong></td>
                                   </tr>
                                   <cfif isDefined("variables.errorMessage")>
                                   <tr bgcolor="##CCCCCC"><td colspan="2" align="center"><font face="Verdana" size="1" color="##395191">#variables.errorMessage#</font></td></tr>
                                   <cfelse>
                                   <tr bgcolor="##CCCCCC"><td colspan="2"> </td></tr>
                                   </cfif>
                                   <tr bgcolor="##CCCCCC">
                                        <td width="160" align="right" class="default"><strong>Student ID :</strong></td>
                                        <td width="340"><cfinput type="text" name="STD_ID_NO" size="25" maxlength="9" required="Yes" message="You must provide a Student ID."></td>
                                   </tr>
                                   <tr bgcolor="##CCCCCC">
                                        <td class="default" align="right" width="160"><strong>Pin</strong>:</td>
                                        <td width="340"><cfinput type="password" name="PASS_PIN" size="25" maxlength="4" required="Yes" message="You must provide a Password."></td>
                                   </tr>
                                   <tr bgcolor="##CCCCCC"><td colspan="2"> </td></tr>
                                   <tr bgcolor="##EAEAEA">
                                        <td colspan="2" align="center"><input type="submit" value="Login"></td>
                                   </tr>
                              </table>     
                         </td>
                    </tr>
               </table>
              <p><em>Trouble logging in? Contact Administrative Support at 276-376-4540 or <a href="mailto:cocoadmin@uvawise.edu">cocoadmin@uvawise.edu</a>. </em></p></td>
     </tr>
     </table>
     </cfform>
     </cfoutput>
</div>     
</body>
</html>


<cfparam name="SESSION.StudentID" default="1">
<cfparam name="PageNum_GetClasses" default="1">
<cfquery name="GetClasses" datasource="studentsurvey">
SELECT CourseID FROM StudentToCourses WHERE StudentID = '#SESSION.StudentID#'
</cfquery>

<cfsetting enablecfoutputonly="true">
<!--- ===========================================================================
UVa-Wise Course Evaluations Version 1.603
index.cfm
Purpose: The root of the Online Course Evaluation Application. Here, the student selects from a list of courses.
Author: Chelsie Lawson
cml7u@uvawise.edu
Date: 11.20.2006
Initial Template Author: Aaron West (aaron@trajiklyhip.com)
******************************************************************************
=========================================================================== --->
<cfsetting enablecfoutputonly="false">

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<InvalidTag http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Welcome to UVaWise's Online Course Evaluation Portal</title>
</head>

<body>
     <cfoutput>
     Login successful!<br/>
     Welcome #Session.User.FirstName# #Session.User.LastName#! #Session.User.LoginMessage#<br/>
     <br/>
</cfoutput>
     Application.sessionData:<br/>
     <cfdump var="#Application.sessionData#">
     <br/>
     
     <cfset MaxRows_GetClasses=10>
<cfset StartRow_GetClasses=Min((PageNum_GetClasses-1)*MaxRows_GetClasses+1,Max(GetClasses.RecordCount,1))>
<cfset EndRow_GetClasses=Min(StartRow_GetClasses+MaxRows_GetClasses-1,GetClasses.RecordCount)>
<cfset TotalPages_GetClasses=Ceiling(GetClasses.RecordCount/MaxRows_GetClasses)>
     
<BR><BR>
<font color="#FF6600">
<B>INSTRUCTIONS</B>
<BR>Please click on a Course ID Number to complete the course evaluation.<BR>Note: Please complete only <U>ONE</U> evaulation per class. Duplicate evaluations will be discarded.</font><BR><BR>
     
    <table border="1">
      <tr>
        <td>CourseID</td>
      </tr>
      <cfoutput query="GetClasses" startRow="#StartRow_GetClasses#" maxRows="#MaxRows_GetClasses#">
        <tr>
          <td>#GetClasses.CourseID#</td>
        </tr>
      </cfoutput>
    </table>
     
     
     <BR><BR><BR>
     
     <a href="logout.cfm">Click here to log out.</a>
</body>
</html>




This message was edited by CFChels on 11-20-06 @ 12:31 PM

TeamDesigner
01-30-2007 @ 1:48 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Senior Member
Posts: 160
Joined: Jan 2007

You need a Application.cfm file with the following code:

<cfapplication name="YourAppName" sessionmanagement="yes" sessiontimeout="#CreateTimeSpan(0, 0, 20, 0)#">

This sets the login time to 20 minutes if inactivity occurs.

This is needed to tell ColdFusion that you will be dealing with sessions.

You have other options other than sessionmanagement, but this one is a good one.

Heres the documentation for you to take a look:

http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/tags-pa3.htm

mquack
01-30-2007 @ 2:46 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Moderator
Posts: 1544
Joined: Jan 2005

Heh... too funny.  That Application.cfc that you posted will allow sessions.  However, look at these particular lines:

<cfset this.applicationTimeout = CreateTimeSpan(0,0,0,45)>
<cfset this.sessionTimeout = CreateTimeSpan(0,0,0,30)>

Those two lines are telling CF to timeout the application in 45 seconds, and sessions in 30 seconds.  So, it's not throwing an error with your code because sessions are enabled.  However, the session might as well not exist because it's set to timeout in 30 seconds.

Change that to:

<cfset this.applicationTimeout = CreateTimeSpan(2,0,0,0)>
<cfset this.sessionTimeout = CreateTimeSpan(0,0,30,0)>

This will now timeout the session in 30 minutes, and the application in 2 days.  For more information, check the LiveDocs as TeamDesigner suggested.


http://www.rachelqueensg.com

mquack
01-30-2007 @ 2:49 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Moderator
Posts: 1544
Joined: Jan 2005

Also, I should point out that Application.cfC only works with CFMX 7.x.  If you are using CFMX 6.x, then you'd need an Application.cfM instead, as TeamDesigner pointed out.


http://www.rachelqueensg.com


Website Designed and Developed by Pablo Varando.