ColdFusion MX 7 Login Security (Page 1 of 13)

This tutorial builds on the foundation created in my ColdFusion MX 6 Secure Login tutorial. In fact, many of the same concepts in that tutorial are revisted here except with a focus on ColdFusion MX 7's features. Additionally, I'll be covering a few concepts not found in the CFMX 6 version. So, let's lay a few ground rules for our secure login code:

  1. Application.cfc must be used.
  2. It should be user-friendly.
  3. It should accomodate both a username and a password form control.
  4. It should protect all of our ColdFusion templates in the event an unauthorized user attempts access, or an authorized users session times out.
  5. Passwords must be encrypted and stored in a database.
  6. The login form should serve as both the initial entry point, and will also be used to display appropriate login error messages.
  7. It should track active sessions across the entire application.
  8. It should update each users "last login" timestamp each time a user logs in.
  9. It should be able to handle "smart redirects" upon user login.

All of these items taken together will give us a basic ColdFusion login framework we can use in any application we build. Before we get started with the code, you need to make sure your development environment is set up correctly. If you haven't done so already, download my source files by returning to the intro page to this tutorial. Once downloaded, create a new directory in your webroot and extract the files to this new directory. It does not matter what you call this directory. Next, run the appropriate SQL script for your development environment. I've provided two scripts for you, one for MySQL and one for SQL Server. If you have a different database platform, take a look at one of the SQL scripts and make the appropriate changes for your database server. Don't forget to run the INSERT part of the script, this code creates an admin account in your database you'll need later. Next, you'll want to create an appropriate datasource so ColdFusion can access your new table. It's up to you whether you create an entirely new database or you just run the provided script on an existing database. Either way, make sure ColdFusion has a datasource defined for your database. Once you have the datasource in place you'll need to change my datasource name in the Application.cfc file (it's defined in the onRequestStart method) so it matches the name in your ColdFusion Administrator.

Once these steps are done, you can verify that everything is set up properly by browsing the following Web address: (if you don't see the sample application login form, verify you performed all the set up steps above. Oh, and don't worry about logging in just yet.):