I am trying to use the following to make a page security enable for the admin folders of my website
the structure of my application is like the switch case statements
index.cfm page has the switch.cfm which further defines the code as:
<cfswitch expression="#mode#">
<cfcase value="admin.1"><cfinclude template="1.cfm"></cfcase>
<cfdefaultcase><cfinclude template="login.cfm"></cfcase>
</cfswitch>
now in my application.cfc i have defined like this
<cfif (NOT structKeyExists( session, "isLoggedIn" )) OR (session.isLoggedIn eq false) AND CGI.query_string contains 'admin'>
<cfinclude template="index.cfm"> - why `index`, it will include the `switch.cfm` and `switch.cfm` has the `defaultcase` of `login.cfm`, so apparently it will include `login.cfm` - **This is why i think it should do**.
now when i call my page as:
http://localhost/?mode=admin.1 - it goes into it, rather than sending the user to the login.cfm, am i missing something
I believe your logic is wrong...
You're saying:
if not logged in, include index.cfm
In index.cfm you are asking,
if mode == admin.1 then include 1
else include the login
You are passing in the correct mode, so admin.1 is run.
You probably want something like:
<cfif (NOT structKeyExists( session, "isLoggedIn" )) OR (session.isLoggedIn eq false) AND CGI.query_string contains 'admin'>
<cfinclude template="login.cfm">
<cfelse>
<!--- this should mean the user is logged in --->
<cfinclude template="index.cfm">
</cfif>
Or something like that...
Related
CFBuilder admin storage
15cdb5dcb6.jpg
Application.cfm
34ed7586e1.jpg
Login.cfm
<cfif not isDefined('FORM.submitButton')>
<cfform name="loginForm" method="post" action="#CGI.SCRIPT_NAME#">
Login:
<cfinput type="text" name="login" required="yes">
Password:
<cfinput type="password" name="password" required="yes">
<br>
<cfinput type="submit" name='submitButton' value="Sign">
<br>
<cfinput type="button" name='registerButton' value="Register">
</cfform>
<cfelse>
<cfquery name='getUser' datasource="dbfortest">
SELECT * FROM usertable WHERE login="#FORM.login#" ;
</cfquery>
<cfif getUser.RecordCount NEQ 0>
<cfif FORM.password eq getUser.password>
<cflock scope="Session" timeout="60" type="exclusive" >
<cfset Session.loggedIn = "yes">
<cfset Session.user = "#FORM.login#">
</cflock>
<cfoutput>#StructKeyList(Session)#</cfoutput>
<cfelse>
Your pass isn't correct.
</cfif>
<cfelse>
There is no user with this name.
</cfif>
</cfif>
part of page when i want to use login including.
<cfif Session.loggedIn eq "no">
<cfinclude template="login.cfm">
</cfif>
<cfif structKeyExists(session, "user")>
<cfoutput>Welcome, #Session.user#.</cfoutput>
</cfif>
<cfoutput>#StructKeyList(Session)#</cfoutput>
Hello everyone, please help me understand these sessions' behavior.
The whole problem consists in attempting to pass variables from one page to another.
So after login i don't see the session.user in session struct.
How can i pass this?
Have already tried different browsers.
#Aquitaine has given you some good information. I just wanted to also point out that another part of your problem is likely that you have set a 10 second life span for your sessions. That's probably not long enough.
In the Application.cfm example that you posted you have this line:
sessiontimeout="#createTimespan(0,0,0,10)#"
The arguments for the CreateTimeSpan function are as follows:
createTimespan(days, hours, minutes, seconds)
As such you are assigning a 10 second lifespan for sessions. Perhaps you meant to set 10 minutes instead of 10 seconds.
To figure out what's going on with the session variables, try putting in some debug code right after your cfset session statements to make sure that they're happening. Maybe <cfdump var="#session#">.
You do not need to cflock your session scope (and have not needed to since CFMX). See Adam Cameron's 2013 post on when to lock scopes
If your debug code runs and you see the session variables, but then they're gone on the next page, that may be an issue with your session storage (which is a different part of cfadmin) or else whatever front-end webserver you're using. Try <cfdump var="#session#"> in onRequestStart in Application.cfc and make sure that JSESSIONID is the same on every request. (or try disabling J2EE session variables in CFADMIN and see if the same problem persists with CFID/CFTOKEN).
If your debug code doesn't run, then you should be seeing one of your error conditions.
For ease-of-reading, be consistent in your casing when refering to scopes, e.g. session not Session. While this kind of thing may not matter functionally, it can get you into trouble with portability when referencing paths or components.
Some other issues:
If you are going to use a boolean value for loggedIn then use a boolean value: true or false or 1 or 0 or (if you must) yes or no but not "yes" which is a string; instead of being able to do if (session.loggedIn) if you will have to do if (session.loggedIn == 'yes') and nobody will be happy.
If this is meant to be working, production site code, at a minimum you need to be using cfqueryparam as you do not ever want to pass unescaped user input directly to a database query.
You might also head over to the CFML slack at cfml.slack.com and ask on #cfml-beginners for some pointers on writing login forms.
I'm looking to use "vanity" URLs to redirect to a login page, with a company logo on it.
The URL would be something like: companyname.domain.com
First, I need to query the requested URL to see if "companyname" exists, then either
serve the custom login page if it exists -OR-
show an error page if it doesn't.
The true destination will actually be something like www.domain.com/folder/. But again, I need to display the "vanity" URL throughout the whole application. Example:
companyname.domain.com/clients/?id=somevariable&...
I know I can probably figure it out by trial and error over some period of time. But being a self-taught CF-er, I thought to gain some advice on the "right way" to go about this task.
This is how I ended up doing what I was looking for. Thanks for all the input.
First I added a DNS A record to the domain.com zone like this: * site-ip-address-here
<cfscript>
siteDomainName = cgi.http_host;
if (ListLen(siteDomainName, '.') gt 2) {
siteDomainName = ListFirst(siteDomainName,'.');
}
</cfscript>
<cfif siteDomainName NEQ "www">
<cfquery name="qUrl" datasource="#dsn#">
SELECT id, pre
FROM table
WHERE pre = <cfqueryparam value="#siteDomainName#" cfsqltype="cf_sql_varchar">
</cfquery>
<cfif qUrl.recordCount GT 0>
<cflocation url="/folder/" addtoken="false">
<cfelse>
<cflocation url="http://www.domain.com/error.cfm" addtoken="false">
</cfif>
</cfif>
If anyone has any comments on how it could've been done better, I'm always looking to learn something new.
We're adding some functionality to our CMS whereby when a user creates a page, they can select an option to allow/disallow search engine indexing of that page.
If they select yes, then something like the following would apply:
<cfif request.variables.indexable eq 0>
<cffile
action = "append"
file = "C:\websites\robots.txt"
output = "Disallow: /blocked-page.cfm"
addNewLine = "yes">
<cfelse>
<!-- check if page already disallowed in robots.txt and remove line if it does --->
</cfif>
It's the <cfelse> clause I need help with.
What would be the best way to parse robots.txt to see if this page had already been disallowed? Would it be a cffile action="read", then do a find() on the read variable?
Actually, the check on whether the page has already been disallowed would probably go further up, to avoid double-adding.
You keep the list of pages in database and each page record has a indexable bit, right? If yes, simpler and more reliable approach would be to generate new robots.txt each time some page is added/deleted/changes indexable bit.
<!--- TODO: query for indexable pages ---->
<!--- lock the code to prevent concurrent changes --->
<cflock name="robots.txt" type="exclusive" timeout="30">
<!--- flush the file, or simply start with writing something --->
<cffile
action = "write"
file = "C:\websites\robots.txt"
output = "Sitemap: http://www.mywebsite.tld/sitemap.xml"
addNewLine = "yes">
<!--- append indexable entry to the file --->
<cfloop query="getPages">
<!--- we assume that page names are not entered by user (= safe names) --->
<cffile
action = "append"
file = "C:\websites\robots.txt"
output = "Disallow: /#getPages.name#.cfm"
addNewLine = "yes">
</cfloop>
</cflock>
Sample code is not tested, be aware of typos/bugs.
Using the Robots.txt files for this purpose is a bad idea. Robots.txt is not a security measure and you're handing "evildoers" a list of pages that you don't want indexed.
You're much better off using the robots meta tag, which will not provide anyone with a list of pages that you don't want indexed, and gives you greater control of the individual actions a robot can perform.
Using the meta tags, you would simply output the tags when generating the page as usual.
<!--- dummy page to block --->
<cfset request.pageToBlock = "/blocked-page.cfm" />
<!--- read in current robots.txt --->
<cffile action="read" file="#expandPath('robots.txt')#" variable="data" />
<!--- build a struct of all blocked pages --->
<cfset pages = {} />
<cfloop list="#data#" delimiters="#chr(10)#" index="i">
<cfset pages[listLast(i,' ')] = '' />
</cfloop>
<cfif request.variables.indexable eq 0>
<!--- If the page is not yet blocked add it --->
<cfif not structKeyExists(pages,pageToBlock)>
<cffile action="append" file="C:\websites\robots.txt"
output="Disallow: #request.pageToBLock#" addNewLine="yes" />
<!--- not sure if this is in a loop but if it is add it to the struct for nex iteration --->
<cfset pages[request.pageToBlock] = '' />
</cfif>
</cfif>
This should do it. Read in the file, loop over it and build a struct of the bloocked pages. Only add a new page if it's not already blocked.
I'm seriously considering moving away from CF8 cflogin because it is tied to the server that spawned the login. In a load balanced environment you're stuck with sticky sessions if you don't do a custom implementation.
Does anyone have any source that mimics CFLogin that writes to and is managed from the client scope? Maybe even a design that matches up well with a rename replace on isuserin[any]role.
What should I be thinking about when I consider writing a replacement implementation for CFLogin?
Here is a basic non cflogin approach using variables stored in the CLIENT scope. We use a similar approach for non-sticky sessions across our server cluster behind our load balancer.
This code should live in Application.cfc -> onRequestStart() method:
<!--- handle login *post* --->
<cfif structKeyExists(FORM, "pageaction") and FORM.pageAction eq "adminlogin">
<!--- attempt to log user in --->
<cfif loginSuccessful>
<!--- Set client variables for session management --->
<cfset CLIENT.lastHit = now() />
<cfset CLIENT.loggedIn = 1 />
<!--- redirect to home page --->
<cfelse>
<!--- redirect to login page with message --->
</cfif>
<!--- all other requests, except for the login page --->
<cfelseif structKeyExists(CLIENT, "lasthit") and structKeyExists(COOKIE, "cfid") and structKeyExists(CLIENT, "cfid") and listLast(CGI.SCRIPT_NAME, "/") neq "login.cfm">
<!--- Check for timeout --->
<cfif (datediff("n", CLIENT.lastHit, now()) lte 10) and (CLIENT.loggedIn is 1) and (CLIENT.cfid is COOKIE.cfid)>
<!--- record last hit --->
<cfset CLIENT.lastHit = now() />
<cfelse>
<!--- timeout! redirect to login page --->
<cflocation URL="http://mydomain/login.cfm" addtoken="false" />
</cfif>
</cfif>
There is user role stuff, but I hope this helps as a starting point.
I customized the CF Login Wizard through Dreamweaver to be portable and to use a db table for authentication and role management. Because of this,I can use it either as a single-user login, or multiple account logins. I never have used cflogin and haven't needed to. I just drop the files into the directory, customize the login credentials, and that is it. Works perfect every time.
I have a coldfusion web site I need to change. Have no idea or experience with this environment (I do know ASP.NET). All I need to do is to write a condition based on the referral value (the URL) of the page, and redirect to another page in some cases.
Can anyone give me an example of the syntax that would perform this?
All of the other examples would work...also if you're looking to redirect based on a referral from an external site, you may want to check CGI.HTTP_REFERER. Check out the CGI scope for several other options.
<cfif reFindNoCase('[myRegex]',cgi.http_referer)>
<cflocation url="my_new_url">
</cfif>
...my example uses a regex search (reFind() or reFindNoCase()) to check the referring URL...but you could also check it as a list with / as a delimiter (using listContainsNoCase()) depending on what you're looking for.
Lets assume your the URL variable you are basing this on is called goOn (http://yoursite.com?goOn=yes) then the following code would work:
<cfif structKeyExists(url, "goOn") AND url.goOn eq "yes">
<cflocation url="the_new_url" addtoken="false">
</cfif>
Nothing will happen after the cflocation.
There is a CGI variable scope in ColdFusion that holds information on the incoming request. Try the following:
<cfif CGI.SCRIPT_NAME EQ 'index.cfm'>
<cflocation url="where you want it to redirect" />
</cfif>
To see what else is available within the CGI scope, check out the following:
http://livedocs.adobe.com/coldfusion/8/htmldocs/Expressions_8.html#2679705
Haven't done coldfusion in a little while but:
<cfif some_condition_based_on_your_url>
<cflocation url="http://where_your_referrals_go">
</cfif>
<!--- continue processing for non-redirects --->
A dynamic version.
<cfif isdefined("somecondition")>
<cfset urlDestination = "someurl">
<cfelseif isdefined("somecondition")>
<cfset urlDestination = "someurl">
.
.
.
<cfelse>
<cfset urlDestination = "someurl">
</cfif>
<cflocation url = urlDestination>