ColdFusion MX 6 Login Security (Page 1 of 6)

Everyone wants a good login procedure on their web site right? Contrary to what some developers may think it is really quite easy to create a simple, secure login procedure that protects your application from unauthorized use. In order to get started, let's outline some requirements that we want our login procedure to conform to.

  1. It should be user-friendly.
  2. It should accomodate both a username and a password form control.
  3. It should protect all of our ColdFusion templates in the event an unauthorized user attempts access, or an authorized users session times out.
  4. Passwords must be encrypted and stored in a database.
  5. The login form should serve as both the initial entry point, and will also be used to display appropriate login error messages.

As with most any ColdFusion application, a logical place to start working is with the Application.cfm template. You aren't required to place your CFAPPLICATION tag inside the Application.cfm template, but this is logically the best place. We first define our application name and the time restrictions on how long our shared-scopes will remain active. Our Application variables and Session variables will both expire after one hour of inactivity. Next, we declare a Request scope variable that will be used to hold our datasource. Because Request scope variables are local variables (exposed to the entire page context, including custom tags) we do not need to protect access to them in a ColdFusion lock. Also, since these variables are created within the Application.cfm template, they will be available to every ColdFusion page within our application. The rest of the code in the Application.cfm template serves as the foundation for our login procedure and the rules we want to enforce.

33. <cfif isDefined("FORM.Username") AND isDefined("FORM.Password")>
34. 	<cfinclude template="authenticate.cfm">
36. 	<cfif NOT isDefined("request.User.LoggedIn")>
38. 	   <cfinclude template="login.cfm">
39. 	   <cfabort>
40. 	<cfelse>
42. 	   <cflock scope="SESSION" throwontimeout="Yes" timeout="5" type="EXCLUSIVE">
43. 	       <cfset session.User = Duplicate(request.User)>
44. 	   </cflock>
45. 	   <cflocation url="index.cfm">
46. 	</cfif>
47. </cfif>

This block of code is executed on every ColdFusion page request , as long as the executing page is within our application. On line 33 we check and see if the two FORM controls are defined which signifies a user has submitted the login form. If the FORM variables are defined, we include the authenticate template which will attempt to validate the user-specified credentials against the database. If the user supplies valid login credentials, they are "logged in" to the application and redirected to the main template of the site, index.cfm. If however, the user provides an unknown username, or an invalid password for an existing username, the login form is displayed again and the appropriate error message is shown. We'll cover the last bit of code in the Application.cfm template later, for now let's assume the login form has been submitted.