> If you want I can send a code example tonight.
Code is below (does this list accept attachments?). This code still is based on session variables, but that should be easy to solve. If the user needs to log in an HTTP statuscode 401 is send. This results in a browser popup. When the user submits username&password these are send as the HTTP header "authorization" with the form ToBase64(username:password). I would recommend reading the first 2 chapters of RFC 2617 for background info (5 pages). Have fun. Jochem <!------------------------------------------------------------------------------ Copyright (c) 2001, Jochem van Dieten All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the author nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. _securitycode.cfm This template handles all security related issues for an entire directory and all subdirectories without an Application.cfm template in that subdirectory. All users are verified against a database and after that all the user information is set as a session structure. Usage: - fill out the local variables - include this template in Application.cfm Notes: username & password are case-sensitive if the DBMS is the database table with the login information should at least have the fields: username STRING password STRNG -------------------------------------------------------------------------------> <!--- Security: this template is to be included only ---> <cfif GetBaseTemplatePath() IS GetCurrentTemplatePath()> <cfheader statuscode="401"> <!--- RFC says orphan statuscode 401 is illegal, but only hackers see it ;) ---> <cfabort> </cfif> <cfapplication name="test" sessionmanagement="yes"> <!--- Set local variables ---> <cfscript> variables.dsn = "login"; variables.dsn_username = ""; variables.dsn_password = ""; variables.dsn_usertable = "users"; variables.realmname = "Login application"; </cfscript> <!--- showloginform (BOOLEAN) determines whether user still needs to login ---> <cfset variables.showloginform = TRUE> <!--- Is the user logged in already? ---> <cflock scope="session" timeout="2" type="readonly"> <cfscript> if (IsDefined("session.user")) { request.user = Duplicate(session.user); variables.showloginform = FALSE; } </cfscript> </cflock> <cfif variables.showloginform> <!--- Is authentication information present in a form post ---> <cfif IsDefined("form.username") AND IsDefined("Form.Password") AND IsDefined("URL.action") AND URL.Action IS "login"> <cfset variables.username = form.username> <cfset variables.password = form.password> <!--- Is authentication information present in cookies ---> <cfelseif IsDefined("cookie.username") AND IsDefined("cookie.Password")> <cfset variables.username = form.username> <cfset variables.password = form.password> <!--- Is authentication information present in the HTTP header ---> <cfelseif IsDefined("cgi.authorization") AND ListLen(cgi.authorization," ") IS 2 AND ListFirst(cgi.authorization," ") IS "Basic"> <cfset variables.realstring = ListLast(cgi.authorization," ")> <cfset variables.readstring = ToString(ToBinary(Left(variables.realstring,Len(variables.realstring)-1)))> <cfset variables.username = ListFirst(variables.readstring,":")> <cfset variables.password = ListLast(variables.readstring,":")> </cfif> <!--- Authenticate ---> <cfif IsDefined("variables.username") AND IsDefined("variables.password")> <!--- Verify username and password ---> <cfquery datasource="#variables.dsn#" name="qUser" username="#variables.dsn_username#" password="#variables.dsn_password#"> SELECT * FROM #variables.dsn_usertable# WHERE #variables.dsn_usertable#.UserName = <cfqueryparam cfsqltype="cf_sql_varchar" value="#variables.Username#"> AND #variables.dsn_usertable#.Password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#variables.Password#"> </cfquery> <cfif qUser.RecordCount IS 1> <!--- Login is good, set session.user structure ---> <cfscript> variables.user = StructNew(); for (i = 1 ; i LTE ListLen(qUser.ColumnList) ; i = i + 1) "variables.user.#ListGetAt(qUser.ColumnList,i)#" = Evaluate("qUser." & ListGetAt(qUser.ColumnList,i)); </cfscript> <cflock scope="session" timeout="2" type="exclusive"> <cfscript> session.user = Duplicate(variables.user); </cfscript> </cflock> <cfset variables.showloginform = FALSE> </cfif> </cfif> </cfif> <!--- Does the user want to log out? ---> <cfif IsDefined("URL.action") AND URL.Action IS "logout"> <!--- Delete the structure session.user ---> <cflock scope="session" timeout="2" type="exclusive"> <cfif IsDefined("session.user")> <cfset temp = StructDelete(session,"user")> </cfif> </cflock> <cfset variables.showloginform = TRUE> </cfif> <!--- Does the user still need to log in ---> <cfif variables.showloginform> <!--- Include login form and stop processing ---> <cfheader statuscode="401"> <cfheader name="WWW-Authenticate" value="Basic realm=#chr(34)##variables.realmname##chr(34)#"> <cfabort> </cfif> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists