ColdFusion MX 7 Login Security (Page 8 of 13)

The idea of this login form and how it works is pretty simple. Let's recap our discussion of the Application.cfc methods and the authenticate.cfm template. When the login form is submitted, the onRequestStart method will recognize this and immediately include the authenticate.cfm template. The authentication template runs and either creates a local error message variable, or a Request-scoped structure based on whether or not the user supplied valid credentials. Either way, page processing will be returned to the onRequestStart method every time (specifically to line 108). We know whether or not the user supplied valid credentials based upon whether or not the Request.User structure is defined. I do a test for the structure key Request.User.LoggedIn, because this is the flag I chose to use (line 108). If the user enters an incorrect username or an incorrect password for a valid username, the login template is included and the appropriate error message is displayed. If the user enters a valid username and corresponding password, they will be redirected to the main page of the site or the specific page they requested.

Going back to the onRequestStart method, let's review the last portion of the code just after our FORM check.

147. <cflock scope="SESSION" throwontimeout="Yes" timeout="7" type="READONLY">
148.   <cfif NOT isDefined("Session.User.LoggedIn")>
149.      <cfinclude template="login.cfm">
150.      <cfabort>
151   </cfif>
152. </cflock>	

Like all the code in the onRequestStart method, this block of code is run upon every *.cfm page request. It essentially protects our application by making authentication a requirement. It handles both initial entry to the application and session time-outs.