ColdFusion MX 7 Login Security (Page 4 of 13)

The onRequestStart Method

97.  <cffunction name="onRequestStart" returntype="boolean">
99.    <cfset request.datasource = "your_datasource">
155. </cffunction>

The real logic in how we will handle many of our application requirements is programmed in this method. The onRequestStart method executes each and every time a ColdFusion template is requested. The first thing we do in this method is set up our datasource that will be used anywhere in our application. For this, I chose the Request scope. Request scope variables are local variables (exposed to the entire page context, including custom tags) and because of this we do not need to protect them in a ColdFusion lock. Also, since this Request variable is created within the onRequestStart method it will be available to every ColdFusion page within our application. The rest of the code in the onRequestStart method serves as the foundation for our login procedure and the rules we want to enforce.

105. <cfif isDefined("FORM.Username") AND isDefined("FORM.Password")>
106.    <cfinclude template="authenticate.cfm">
108.    <cfif NOT isDefined("request.User.LoggedIn")>
115.       <cfinclude template="login.cfm">
116.       <cfabort>
117.    <cfelse>
119.       <cflock scope="SESSION" throwontimeout="Yes" timeout="7" type="EXCLUSIVE">
120.          <cfset Session.User = Duplicate(request.User)>
121.       </cflock>
127.       <cflock name="lck_currentSessions" throwontimeout="Yes" timeout="7"
129.          <cfset Application.currentSessions = Application.currentSessions + 1>

132. <cfif NOT isDefined("Application.sessionData")> 133. <cfset Application.sessionData = ArrayNew(1)> 134. </cfif> 135. <cfset ArrayAppend(Application.sessionData, Session.sessionid)> 136. </cflock> 139. <cfif NOT isDefined("session.requestedPage") OR Find("authenticate.cfm", session.requestedPage)> 140. <cfset session.requestedPage = "index.cfm"> 141. </cfif> 142. <cflocation url="##session.requestedPage##"> 143. </cfif> 144. </cfif>

Keeping in mind this method runs on every page request, on line 105 we check and see if the two FORM controls are defined which signifies a user has submitted the login form. If the FORM variables are defined, we include the authenticate.cfm template which will attempt to validate the user-specified credentials against the database. If the user supplies valid login credentials, we set up some session tracking code in the Application scope, log the user into the application, and redirect the user to their requested page on the Web site - most likely index.cfm. If however, the user provides an unknown username, or an invalid password for an existing username, the login form is displayed again and an appropriate error message is shown.

We'll cover all of the code in this method in greater detail later, for now, let's just assume the login form has been submitted and the authenticate.cfm template has been included.