> If you want I can send a code example tonight.
Code is below (does this list accept attachments?). This code still is
based on session variables, but that should be easy to solve.
If the user needs to log in an HTTP statuscode 401 is send. This results
in a browser popup. When the user submits username&password these are
send as the HTTP header "authorization" with the form
ToBase64(username:password).
I would recommend reading the first 2 chapters of RFC 2617 for
background info (5 pages).
Have fun.
Jochem
<!------------------------------------------------------------------------------
Copyright (c) 2001, Jochem van Dieten
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the author nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
_securitycode.cfm
This template handles all security related issues for an entire directory and
all subdirectories without an Application.cfm template in that subdirectory. All
users are verified against a database and after that all the user information is
set as a session structure.
Usage:
- fill out the local variables
- include this template in Application.cfm
Notes:
username & password are case-sensitive if the DBMS is
the database table with the login information should at least have the fields:
username STRING
password STRNG
------------------------------------------------------------------------------->
<!--- Security: this template is to be included only --->
<cfif GetBaseTemplatePath() IS GetCurrentTemplatePath()>
<cfheader statuscode="401">
<!--- RFC says orphan statuscode 401 is illegal, but only hackers see it ;)
--->
<cfabort>
</cfif>
<cfapplication name="test" sessionmanagement="yes">
<!--- Set local variables --->
<cfscript>
variables.dsn = "login";
variables.dsn_username = "";
variables.dsn_password = "";
variables.dsn_usertable = "users";
variables.realmname = "Login application";
</cfscript>
<!--- showloginform (BOOLEAN) determines whether user still needs to login --->
<cfset variables.showloginform = TRUE>
<!--- Is the user logged in already? --->
<cflock scope="session" timeout="2" type="readonly">
<cfscript>
if (IsDefined("session.user")) {
request.user = Duplicate(session.user);
variables.showloginform = FALSE;
}
</cfscript>
</cflock>
<cfif variables.showloginform>
<!--- Is authentication information present in a form post --->
<cfif IsDefined("form.username") AND IsDefined("Form.Password") AND
IsDefined("URL.action") AND URL.Action IS "login">
<cfset variables.username = form.username>
<cfset variables.password = form.password>
<!--- Is authentication information present in cookies --->
<cfelseif IsDefined("cookie.username") AND IsDefined("cookie.Password")>
<cfset variables.username = form.username>
<cfset variables.password = form.password>
<!--- Is authentication information present in the HTTP header --->
<cfelseif IsDefined("cgi.authorization") AND ListLen(cgi.authorization," ") IS
2 AND ListFirst(cgi.authorization," ") IS "Basic">
<cfset variables.realstring = ListLast(cgi.authorization," ")>
<cfset variables.readstring =
ToString(ToBinary(Left(variables.realstring,Len(variables.realstring)-1)))>
<cfset variables.username = ListFirst(variables.readstring,":")>
<cfset variables.password = ListLast(variables.readstring,":")>
</cfif>
<!--- Authenticate --->
<cfif IsDefined("variables.username") AND IsDefined("variables.password")>
<!--- Verify username and password --->
<cfquery datasource="#variables.dsn#" name="qUser"
username="#variables.dsn_username#" password="#variables.dsn_password#">
SELECT *
FROM #variables.dsn_usertable#
WHERE #variables.dsn_usertable#.UserName = <cfqueryparam
cfsqltype="cf_sql_varchar" value="#variables.Username#">
AND #variables.dsn_usertable#.Password = <cfqueryparam
cfsqltype="cf_sql_varchar" value="#variables.Password#">
</cfquery>
<cfif qUser.RecordCount IS 1>
<!--- Login is good, set session.user structure --->
<cfscript>
variables.user = StructNew();
for (i = 1 ; i LTE ListLen(qUser.ColumnList) ; i = i +
1)
"variables.user.#ListGetAt(qUser.ColumnList,i)#" = Evaluate("qUser." &
ListGetAt(qUser.ColumnList,i));
</cfscript>
<cflock scope="session" timeout="2" type="exclusive">
<cfscript>
session.user = Duplicate(variables.user);
</cfscript>
</cflock>
<cfset variables.showloginform = FALSE>
</cfif>
</cfif>
</cfif>
<!--- Does the user want to log out? --->
<cfif IsDefined("URL.action") AND URL.Action IS "logout">
<!--- Delete the structure session.user --->
<cflock scope="session" timeout="2" type="exclusive">
<cfif IsDefined("session.user")>
<cfset temp = StructDelete(session,"user")>
</cfif>
</cflock>
<cfset variables.showloginform = TRUE>
</cfif>
<!--- Does the user still need to log in --->
<cfif variables.showloginform>
<!--- Include login form and stop processing --->
<cfheader statuscode="401">
<cfheader name="WWW-Authenticate" value="Basic
realm=#chr(34)##variables.realmname##chr(34)#">
<cfabort>
</cfif>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
