ColdFusion MX 6 Login Security (Page 3 of 6)

Let's say the user realizes his error and enters a valid username. Our Application template will again notice the submittal of the form and include the authentication template.

20. <cfif GetUserDetails.RecordCount eq 0>
25. 	<cfset variables.errorMessage = "The Username you provided, <b>" 
          & FORM.Username & "</b>, is an invalid Username.">
26. <cfelse>
28. 	<cfset variables.hashedPassword = Hash(FORM.Password)>
29. 	<cfif variables.hashedPassword neq GetUserDetails.Password>
31. 		<cfset variables.errorMessage = "The Password you supplied for
                   user <b>" & FORM.Username & "</b> was incorrect.">
32. 	<cfelse>
34. 		<cfset request.User = StructNew()>
35. 		<cfset request.User.LoggedIn = "1">
36. 		<cfset request.User.Username = FORM.Username>
37. 	</cfif>
38. </cfif>

This time, the conditional logic on line 20 will evaluate to FALSE and the else statement will execute. On line 28 we create a local variable that holds the hashed value of the FORM.Password variable. The Hash() function is built-in to the ColdFusion server and creates a 32-bit one-way encrypted string using the MD5 algorithm. No matter what set of characters you feed the Hash() function, it will always return a 32-bit string. One-way encryption means there is no way to decrypt the encrypted string. The Hash() function is also case sensitive. It will return one 32-bit string for "Aaron" and a different string for "aArOn." Once we've compared the encrypted password entered by the user with the password stored in the database (line 29) one of two things happens. If the password is entered incorrectly we create the local variable variables.errorMessage which will then be used to display the password error in our login form (this same scenario was outlined on the previous page when the user entered a non-existent username). If the password is entered correctly we create a request scope structure that temporarily holds any information we will later duplicate into a session structure. Again, page processing will be returned to the Application template and the conditional logic on line 36 will be executed.