RE: Login/Password screen
Some advantages: 1. If it's a server login that checks against and explicit group of users, then it's more secure than using CF. Anything in that directory is now protected, not just CFM pages. 2. You don't have to do any coding in your app to make login screens, store passwords, cookie security etc. 3. Centralized administration of logins. If the server's authentication is checking against say an LDAP server, now all apps within an organization can use a common login instead of creating multiple databases of users and passwords for each app. This is especially useful in intranet situations where there are likely logins for systems other than just the web. 4. If you have a large pool of logins, and you have the CF app check against a sub-group of those users by comparing the username you want to the cgi.remote_user, then you are only secure for CF but you've still saved yourself considerable administrative work to maintain yet another set of logins. 5. Developers now don't know or even need, or should have, access to user's passwords. In a normal database table, the developer of the app can just go in and look at people's passwords. Here it's abstracted out from the developer's need to know. Some possible disadvantages: 1. Requires more architectural work such as maintaining an LDAP server or at least server level logins. 2. Takes some control of the app out of the developer's hands and may require more calls to server admins to lock down a directory to a group. 3. A one-login situation opens up new questions for security. 4. If you are using something like an LDAP server to store the login information, it becomes much harder to build user-initiated password reminder/lookup features. Or even to build a login screen into the look/feel of your web site. 5. Best for intranets where users are already in a system. It's not as conducive for public sites with simple user logins for something like a forum. I'm certainly no expert on this. It's just something our organization has been moving to and so far it's been a really nice way to do things. I don't administer the servers, and I'm not even a hotshot CF dev here. But in our situation with a very large organization and hundreds of apps, anything to make our development faster, the server more secure, and the user's list of passwords shorter is a boon. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 15, 2002 1:56 PM To: CF-Talk Subject: RE: Login/Password screen Kevin Thanks for the explanation. I didn't realise this was so simple. What advantage (if any) does rolling your own login page in coldfusion have over this? Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 21:45 To: CF-Talk Subject: RE: Login/Password screen The server sets it when the person authenticates to the server login. So you just define the directory as restricted in the web server configuration, then when a person requests anything in that directory or lower, the web server intercepts it before anything else does and asks for a login. The CF app can then read the #cgi.remote_user# variable and compare that against a database of users for personalization if you like. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 11:19 AM To: CF-Talk Subject: RE: Login/Password screen Kevin How is CGi.remote_user set? Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 16:04 To: CF-Talk Subject: RE: Login/Password screen It's not a browser issue so much as on the server. The server stores a set of cgi.something variables that can be asked for by CF. We used to use cgi.auth_user, but when we switched over to Apache, that wasn't a valid cgi variable anymore. Now we use cgi.remote_user. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 9:36 AM To: CF-Talk Subject: RE: Login/Password screen That's a good idea, does cgi.remoteuser work with all major browsers or just i.e.? Thanks Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:33 To: CF-Talk Subject: RE: Login/Password screen Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference
RE: Login/Password screen
Does this send the user name and or password in plain text. Kola -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] Sent: 15 December 2002 21:25 To: CF-Talk Subject: Re: Login/Password screen Jann VanOver wrote: Cross platform/cross browser. No problem. If you have people using non-microsoft browsers, server authentication can be problematic. Just stick to Basic HTTP authentication (RFC 2617), I have yet to see the browser that doesn't support it. But if you use NTLM, you are stuck to IE. Rolling your own with CF can more easily be made friendly for all heterogeneous situations. And could give you one app that could be run on Windoze, Linux, and MacOSX (if written well, of course) That only protects .cfm pages (but if that is the only thing required I do indeed prefer to roll my own HTTP authentication with CF). Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
Re: Login/Password screen
Kola Oyedeji wrote: Does this send the user name and or password in plain text. Yes, if sent over a non-HTTPS connection. If you want to have the password encrypted use Digest Authentication (RFC 2617). Supported by most major browsers (IE, Mozilla, Opera but not NN 4.x). Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
Joch Does that mean it's possible to do this over SSL and the user still be able to authenticate against the server or is digest authentication the only option? Thanks -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] Sent: 16 December 2002 16:46 To: CF-Talk Subject: Re: Login/Password screen Kola Oyedeji wrote: Does this send the user name and or password in plain text. Yes, if sent over a non-HTTPS connection. If you want to have the password encrypted use Digest Authentication (RFC 2617). Supported by most major browsers (IE, Mozilla, Opera but not NN 4.x). Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
If you want to have the password encrypted use Digest Authentication (RFC 2617). Supported by most major browsers (IE, Mozilla, Opera but not NN 4.x). Offhand, Jochem, is Digest authentication still broken in IE? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
RE: Login/Password screen
Does that mean it's possible to do this over SSL and the user still be able to authenticate against the server or is digest authentication the only option? If you have SSL, you can safely use Basic Authentication through SSL. If you don't have SSL, and you want to avoid sending the username and password as plain text, you'll need to use Digest Authentication. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
Re: Login/Password screen
Kola Oyedeji wrote: Does that mean it's possible to do this over SSL and the user still be able to authenticate against the server Yes, it works over SSL. RFC 2617 Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: Login/Password screen
Why is that? Is CFCONTENT resource intensive? Kola For example, put all of your images in a folder that is not within the wwwroot and request them like this: img src=getImage.cfm?imagePath=storeFront/header.gif And then in the CFM use CFCONTENT to send back the image. Works equally well with PDF, Word, Excel, etc. files. This is a good solution, but you need to be careful when using it, because it can introduce a significant amount of additional load onto CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: Login/Password screen
It's not the cfcontent is resource intensive, but using it for security like I suggested causes 5-10 times as many requests to go through CF whereas before they would just go to the web server. Typical request for CFM page = one request to CF. Request for CFM page with all images going through CF = 5-10 requests to CF A lot more requests for CF to handle, albeit short ones. Might help to increase number of simultaneous requests being processed. Sorry I didn't mention this in my original post. -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 15, 2002 12:45 PM To: CF-Talk Subject: RE: Login/Password screen Why is that? Is CFCONTENT resource intensive? Kola For example, put all of your images in a folder that is not within the wwwroot and request them like this: img src=getImage.cfm?imagePath=storeFront/header.gif And then in the CFM use CFCONTENT to send back the image. Works equally well with PDF, Word, Excel, etc. files. This is a good solution, but you need to be careful when using it, because it can introduce a significant amount of additional load onto CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: Login/Password screen
Kevin Thanks for the explanation. I didn't realise this was so simple. What advantage (if any) does rolling your own login page in coldfusion have over this? Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 21:45 To: CF-Talk Subject: RE: Login/Password screen The server sets it when the person authenticates to the server login. So you just define the directory as restricted in the web server configuration, then when a person requests anything in that directory or lower, the web server intercepts it before anything else does and asks for a login. The CF app can then read the #cgi.remote_user# variable and compare that against a database of users for personalization if you like. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 11:19 AM To: CF-Talk Subject: RE: Login/Password screen Kevin How is CGi.remote_user set? Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 16:04 To: CF-Talk Subject: RE: Login/Password screen It's not a browser issue so much as on the server. The server stores a set of cgi.something variables that can be asked for by CF. We used to use cgi.auth_user, but when we switched over to Apache, that wasn't a valid cgi variable anymore. Now we use cgi.remote_user. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 9:36 AM To: CF-Talk Subject: RE: Login/Password screen That's a good idea, does cgi.remoteuser work with all major browsers or just i.e.? Thanks Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:33 To: CF-Talk Subject: RE: Login/Password screen Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. We've been using the server level authentication and then using cf to check against the cgi.remote_user to see who it is. That means that ANY attempt to get in at that protected area has to be authenticated against with the server. -Kevin -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 6:43 AM To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
Re: Login/Password screen
Cross platform/cross browser. If you have people using non-microsoft browsers, server authentication can be problematic. Rolling your own with CF can more easily be made friendly for all heterogeneous situations. And could give you one app that could be run on Windoze, Linux, and MacOSX (if written well, of course) On 12/15/02 11:55 AM, Kola Oyedeji [EMAIL PROTECTED] wrote: Kevin Thanks for the explanation. I didn't realise this was so simple. What advantage (if any) does rolling your own login page in coldfusion have over this? Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 21:45 To: CF-Talk Subject: RE: Login/Password screen The server sets it when the person authenticates to the server login. So you just define the directory as restricted in the web server configuration, then when a person requests anything in that directory or lower, the web server intercepts it before anything else does and asks for a login. The CF app can then read the #cgi.remote_user# variable and compare that against a database of users for personalization if you like. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 11:19 AM To: CF-Talk Subject: RE: Login/Password screen Kevin How is CGi.remote_user set? Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 16:04 To: CF-Talk Subject: RE: Login/Password screen It's not a browser issue so much as on the server. The server stores a set of cgi.something variables that can be asked for by CF. We used to use cgi.auth_user, but when we switched over to Apache, that wasn't a valid cgi variable anymore. Now we use cgi.remote_user. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 9:36 AM To: CF-Talk Subject: RE: Login/Password screen That's a good idea, does cgi.remoteuser work with all major browsers or just i.e.? Thanks Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:33 To: CF-Talk Subject: RE: Login/Password screen Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. We've been using the server level authentication and then using cf to check against the cgi.remote_user to see who it is. That means that ANY attempt to get in at that protected area has to be authenticated against with the server. -Kevin -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 6:43 AM To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
Re: Login/Password screen
Jann VanOver wrote: Cross platform/cross browser. No problem. If you have people using non-microsoft browsers, server authentication can be problematic. Just stick to Basic HTTP authentication (RFC 2617), I have yet to see the browser that doesn't support it. But if you use NTLM, you are stuck to IE. Rolling your own with CF can more easily be made friendly for all heterogeneous situations. And could give you one app that could be run on Windoze, Linux, and MacOSX (if written well, of course) That only protects .cfm pages (but if that is the only thing required I do indeed prefer to roll my own HTTP authentication with CF). Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: Login/Password screen
Samuel Thanks for pointing that out for me. KOla -Original Message- From: Samuel Neff [mailto:[EMAIL PROTECTED]] Sent: 15 December 2002 18:39 To: CF-Talk Subject: RE: Login/Password screen It's not the cfcontent is resource intensive, but using it for security like I suggested causes 5-10 times as many requests to go through CF whereas before they would just go to the web server. Typical request for CFM page = one request to CF. Request for CFM page with all images going through CF = 5-10 requests to CF A lot more requests for CF to handle, albeit short ones. Might help to increase number of simultaneous requests being processed. Sorry I didn't mention this in my original post. -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 15, 2002 12:45 PM To: CF-Talk Subject: RE: Login/Password screen Why is that? Is CFCONTENT resource intensive? Kola For example, put all of your images in a folder that is not within the wwwroot and request them like this: img src=getImage.cfm?imagePath=storeFront/header.gif And then in the CFM use CFCONTENT to send back the image. Works equally well with PDF, Word, Excel, etc. files. This is a good solution, but you need to be careful when using it, because it can introduce a significant amount of additional load onto CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
Re: Login/Password screen
And then in the CFM use CFCONTENT to send back the image. Works equally well with PDF, Word, Excel, etc. files. This is a good solution, but you need to be careful when using it, because it can introduce a significant amount of additional load onto CF. I found that running entire pages - ie, those containing both html and graphics - through cfcontent from outside the web root caused images to randomly not appear (ie, when you hit refresh, some images that were previously there were now not, and others that weren't there now appeared). That's probably a bad explanation, but I saw it on both a production and a dev server, both fairly beefy machines with quite different specs. K. -- Kay Smoljak http://kay.smoljak.com ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: Login/Password screen
I found that running entire pages - ie, those containing both html and graphics - through cfcontent from outside the web root caused images to randomly not appear (ie, when you hit refresh, some images that were previously there were now not, and others that weren't there now appeared). That's probably a bad explanation, but I saw it on both a production and a dev server, both fairly beefy machines with quite different specs. I've never tried to serve regular HTML pages and their images via CFCONTENT, so I don't really have any idea why this would happen. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: Login/Password screen
I found that running entire pages - ie, those containing both html and graphics - through cfcontent from outside the web root caused images to randomly not appear (ie, when you hit refresh, some images that were previously there were now not, and others that weren't there now appeared). That's probably a bad explanation, but I saw it on both a production and a dev server, both fairly beefy machines with quite different specs. The only think I can think of is that when you use cfcontent to send back all images, your cf server is now doing quite a bit more work than it did previously. In a normal CF app, CF gets called once for each request (to get the CFM page). However, if you filter images through CF for security reasons, then you have 5-10 times as many requests going to CF (one for the main page plus one for each record). Since all of the image requests are very light load, you can experiment with increasing the simultaneous requests in cf admin. Sam ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
Re: Login/Password screen
Quoting FlashGuy [EMAIL PROTECTED]: I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Can you post a full list of requirements? Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
That's quite simple to code yourself, why don't you give it a try and post any questions here if you get stuck? Just pass a username and password from a from into a query, if a matching record is found, the queries record count will be 1 and you can authenticate the user, that's quite simplistic but basically all you need. Have a go, you know you want to ;-) -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 12:43 To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
That part is no problem. Its what I need to put into the application.cfm to timeout or after 2-3 attempts lock the user out. Also once they log in they might drag a shortcut to their desktop which would bypass my index.cfm in the root that has the authentication code. How can I force them to the login screen everytime regardless if they dragged a shortcut? On Fri, 13 Dec 2002 13:10:45 -, Craig Dudley wrote: That's quite simple to code yourself, why don't you give it a try and post any questions here if you get stuck? Just pass a username and password from a from into a query, if a matching record is found, the queries record count will be 1 and you can authenticate the user, that's quite simplistic but basically all you need. Have a go, you know you want to ;-) -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 12:43 To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
Re: Login/Password screen
On Fri, 13 Dec 2002 13:48:25 +0100, Jochem van Dieten wrote: Quoting FlashGuy [EMAIL PROTECTED]: I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Can you post a full list of requirements? - validate users - database for authenitcation - redirection to different URLS on server based on authentication - username/password/IP/login time/logout time/ logging to database - force all users to the login screen regardless of shortcut on desktop which points to a URL off \inetpub\wwwroot\ Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
Re: Login/Password screen
What I do is create a file called session.cfm. In there I check for a specific session variable. If that variable is there, I let the user go on their way. If that variable is not there, I send them back to the login screen or what ever screen is needed. If you need help with this, just let me know. HTH Clint - Original Message - From: FlashGuy [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, December 13, 2002 7:15 AM Subject: RE: Login/Password screen That part is no problem. Its what I need to put into the application.cfm to timeout or after 2-3 attempts lock the user out. Also once they log in they might drag a shortcut to their desktop which would bypass my index.cfm in the root that has the authentication code. How can I force them to the login screen everytime regardless if they dragged a shortcut? On Fri, 13 Dec 2002 13:10:45 -, Craig Dudley wrote: That's quite simple to code yourself, why don't you give it a try and post any questions here if you get stuck? Just pass a username and password from a from into a query, if a matching record is found, the queries record count will be 1 and you can authenticate the user, that's quite simplistic but basically all you need. Have a go, you know you want to ;-) -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 12:43 To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
Easy. Assuming you set a Session variable called IsLoggedIn, put the following code in your Application.cfm: cfif NOT (IsDefined(Session.IsLoggedIn) AND Session.IsLoggedIn) AND FindNoCase(login.cfm,CGI.PATH_INFO) EQ 0 cflocation url=login.cfm /cfif In other words, if they are not already logged in, and they are not on the login page, force them to the login page. (The latter is necessary to prevent endless loops.) Adjust as necessary for your application. -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 8:16 AM To: CF-Talk Subject: RE: Login/Password screen That part is no problem. Its what I need to put into the application.cfm to timeout or after 2-3 attempts lock the user out. Also once they log in they might drag a shortcut to their desktop which would bypass my index.cfm in the root that has the authentication code. How can I force them to the login screen everytime regardless if they dragged a shortcut? On Fri, 13 Dec 2002 13:10:45 -, Craig Dudley wrote: That's quite simple to code yourself, why don't you give it a try and post any questions here if you get stuck? Just pass a username and password from a from into a query, if a matching record is found, the queries record count will be 1 and you can authenticate the user, that's quite simplistic but basically all you need. Have a go, you know you want to ;-) -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 12:43 To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
Here's the basic concept... You have a login page. The user puts their username and password in and it submits to an action page that checks to see if they are a user. You then set a variable (I usually use session variables). Then you check for that session variable on the pages that are protected. Typically, I have everything that they need to log into put in a separate folder. Then I have code in the application.cfm to say that if the path is to the protected folder, check for the variable otherwise redirect to the login page. Any shortcut to the secured data will redirect them to the login page if they are not logged in. As far as locking out... set a variable on each failed login and increment it by one until they hit 3. Once they hit three, check that variable in the login page and redirect them or give them a message that they have been locked out. You can use a cookie to expire in 30 minutes or however you want to do it. This is just the basic idea to get you thinking in the right direction. If you just want someone to do it for you, then just ask and I'll send you the code (and the bill ;-)) HTH, Steve -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 8:16 AM To: CF-Talk Subject: RE: Login/Password screen That part is no problem. Its what I need to put into the application.cfm to timeout or after 2-3 attempts lock the user out. Also once they log in they might drag a shortcut to their desktop which would bypass my index.cfm in the root that has the authentication code. How can I force them to the login screen everytime regardless if they dragged a shortcut? On Fri, 13 Dec 2002 13:10:45 -, Craig Dudley wrote: That's quite simple to code yourself, why don't you give it a try and post any questions here if you get stuck? Just pass a username and password from a from into a query, if a matching record is found, the queries record count will be 1 and you can authenticate the user, that's quite simplistic but basically all you need. Have a go, you know you want to ;-) -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 12:43 To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
Re: Login/Password screen
Quoting FlashGuy [EMAIL PROTECTED]: On Fri, 13 Dec 2002 13:48:25 +0100, Jochem van Dieten wrote: Can you post a full list of requirements? - validate users - database for authenitcation - redirection to different URLS on server based on authentication - username/password/IP/login time/logout time/ logging to database - force all users to the login screen regardless of shortcut on desktop which points to a URL off \inetpub\wwwroot\ - encryption over the wire? - encryption/hashed in database? - form or HTTP based? - multiple simultaneous logins allowed? - password recovery module? Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
RE: Login/Password screen
That's fairly easy as well. Create a session variable, set it to 0, and after every failed login attempt increment it by 1, if it reaches 3, don't show the login screen but a locked out screen instead. After their session times out, they will be able to try again however. Sending users to different places based on a security level is also pretty simple, just store a security level with the user/password in your database and pull it out when they log in. It's then just a case of using a cfswitch statement to redirect them to different places based on their security level. Here's an example file structure. In the root directory create the login/locked out page, create a directory for each security level, then an application.cfm in each dir, it will look something like this. cfinclude template=../Application.cfm cflock scope=SESSION timeout=2 type=EXCLUSIVE cfif NOT IsDefined(request.login) or request.login neq 1 cflocation addtoken=No url=../login.cfm /cfif /cflock Hope that helps. -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 13:16 To: CF-Talk Subject: RE: Login/Password screen That part is no problem. Its what I need to put into the application.cfm to timeout or after 2-3 attempts lock the user out. Also once they log in they might drag a shortcut to their desktop which would bypass my index.cfm in the root that has the authentication code. How can I force them to the login screen everytime regardless if they dragged a shortcut? On Fri, 13 Dec 2002 13:10:45 -, Craig Dudley wrote: That's quite simple to code yourself, why don't you give it a try and post any questions here if you get stuck? Just pass a username and password from a from into a query, if a matching record is found, the queries record count will be 1 and you can authenticate the user, that's quite simplistic but basically all you need. Have a go, you know you want to ;-) -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 12:43 To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
Re: Login/Password screen
On Fri, 13 Dec 2002 14:30:01 +0100, Jochem van Dieten wrote: Quoting FlashGuy [EMAIL PROTECTED]: On Fri, 13 Dec 2002 13:48:25 +0100, Jochem van Dieten wrote: Can you post a full list of requirements? - validate users - database for authenitcation - redirection to different URLS on server based on authentication - username/password/IP/login time/logout time/ logging to database - force all users to the login screen regardless of shortcut on desktop which points to a URL off \inetpub\wwwroot\ - encryption over the wire? - encryption/hashed in database? Sure. - form or HTTP based? Either one. - multiple simultaneous logins allowed? Absolutely. - password recovery module? Not necessary. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: Login/Password screen
Quoting Steve Reich [EMAIL PROTECTED]: Here's the basic concept... You have a login page. The user puts their username and password in and it submits to an action page that checks to see if they are a user. Why a login page? Why an action page? You can also make every page a login page and every page an action page by putting the relevant code in the Application.cfm. And if you combine that with HTTP authentication even submitted formfields will persist. Also, check the manual on cflogin. You then set a variable (I usually use session variables). Then you check for that session variable on the pages that are protected. Typically, I have everything that they need to log into put in a separate folder. Then I have code in the application.cfm to say that if the path is to the protected folder, check for the variable otherwise redirect to the login page. Any shortcut to the secured data will redirect them to the login page if they are not logged in. As far as locking out... set a variable on each failed login and increment it by one until they hit 3. Once they hit three, check that variable in the login page and redirect them or give them a message that they have been locked out. You can use a cookie to expire in 30 minutes or however you want to do it. Cookies = client-side = insecure Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
Re: Login/Password screen
I'll take a stab at it. Thanks On Fri, 13 Dec 2002 07:22:51 -0600, Clint Tredway wrote: What I do is create a file called session.cfm. In there I check for a specific session variable. If that variable is there, I let the user go on their way. If that variable is not there, I send them back to the login screen or what ever screen is needed. If you need help with this, just let me know. HTH Clint - Original Message - From: FlashGuy [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, December 13, 2002 7:15 AM Subject: RE: Login/Password screen That part is no problem. Its what I need to put into the application.cfm to timeout or after 2-3 attempts lock the user out. Also once they log in they might drag a shortcut to their desktop which would bypass my index.cfm in the root that has the authentication code. How can I force them to the login screen everytime regardless if they dragged a shortcut? On Fri, 13 Dec 2002 13:10:45 -, Craig Dudley wrote: That's quite simple to code yourself, why don't you give it a try and post any questions here if you get stuck? Just pass a username and password from a from into a query, if a matching record is found, the queries record count will be 1 and you can authenticate the user, that's quite simplistic but basically all you need. Have a go, you know you want to ;-) -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 12:43 To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: Login/Password screen
Quoting Craig Dudley [EMAIL PROTECTED]: Create a session variable, set it to 0, and after every failed login attempt increment it by 1, if it reaches 3, don't show the login screen but a locked out screen instead. After their session times out, they will be able to try again however. Sessions, although stored on the server, are maintained on the client. Ergo, insecure. Use an IP address. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: Login/Password screen
Thanks for your insight, Jochem. My rhetoric was describing the basic concept and was meant to get [FlashGuy] thinking in the right direction. I didn't realize we were being graded. Ahh.. I sure miss the good old days when I knew it all! Steve -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 8:43 AM To: CF-Talk Subject: RE: Login/Password screen Quoting Steve Reich [EMAIL PROTECTED]: Here's the basic concept... You have a login page. The user puts their username and password in and it submits to an action page that checks to see if they are a user. Why a login page? Why an action page? You can also make every page a login page and every page an action page by putting the relevant code in the Application.cfm. And if you combine that with HTTP authentication even submitted formfields will persist. Also, check the manual on cflogin. You then set a variable (I usually use session variables). Then you check for that session variable on the pages that are protected. Typically, I have everything that they need to log into put in a separate folder. Then I have code in the application.cfm to say that if the path is to the protected folder, check for the variable otherwise redirect to the login page. Any shortcut to the secured data will redirect them to the login page if they are not logged in. As far as locking out... set a variable on each failed login and increment it by one until they hit 3. Once they hit three, check that variable in the login page and redirect them or give them a message that they have been locked out. You can use a cookie to expire in 30 minutes or however you want to do it. Cookies = client-side = insecure Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. We've been using the server level authentication and then using cf to check against the cgi.remote_user to see who it is. That means that ANY attempt to get in at that protected area has to be authenticated against with the server. -Kevin -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 6:43 AM To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
RE: Login/Password screen
At 08:32 AM 12/13/2002, you wrote: Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. (snip) -Kevin If you are concerned about securing non-ColdFusion files you can still use CF to secure them by using a CF page as a gateway. For example, put all of your images in a folder that is not within the wwwroot and request them like this: img src=getImage.cfm?imagePath=storeFront/header.gif And then in the CFM use CFCONTENT to send back the image. Works equally well with PDF, Word, Excel, etc. files. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
I'm currently using NT authentication for another application. I just don't want to create accounts for this application because I don't want to give access to out technical support. This login stuff is needed just for a intranet app. On Fri, 13 Dec 2002 08:32:45 -0600, Kevin Graeme wrote: Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. We've been using the server level authentication and then using cf to check against the cgi.remote_user to see who it is. That means that ANY attempt to get in at that protected area has to be authenticated against with the server. -Kevin -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 6:43 AM To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
Sessions, although stored on the server, are maintained on the client. Ergo, insecure. Use an IP address. Jochem Jochem, you make good points. For those of us who would like to research this in more detail, do you know of a resource outside of the MM CF documentation? Thanks! George [EMAIL PROTECTED] ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
RE: Login/Password screen
That's a good idea, does cgi.remoteuser work with all major browsers or just i.e.? Thanks Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:33 To: CF-Talk Subject: RE: Login/Password screen Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. We've been using the server level authentication and then using cf to check against the cgi.remote_user to see who it is. That means that ANY attempt to get in at that protected area has to be authenticated against with the server. -Kevin -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 6:43 AM To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
It's not a browser issue so much as on the server. The server stores a set of cgi.something variables that can be asked for by CF. We used to use cgi.auth_user, but when we switched over to Apache, that wasn't a valid cgi variable anymore. Now we use cgi.remote_user. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 9:36 AM To: CF-Talk Subject: RE: Login/Password screen That's a good idea, does cgi.remoteuser work with all major browsers or just i.e.? Thanks Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:33 To: CF-Talk Subject: RE: Login/Password screen Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. We've been using the server level authentication and then using cf to check against the cgi.remote_user to see who it is. That means that ANY attempt to get in at that protected area has to be authenticated against with the server. -Kevin -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 6:43 AM To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
RE: Login/Password screen
If you are concerned about securing non-ColdFusion files you can still use CF to secure them by using a CF page as a gateway. For example, put all of your images in a folder that is not within the wwwroot and request them like this: img src=getImage.cfm?imagePath=storeFront/header.gif And then in the CFM use CFCONTENT to send back the image. Works equally well with PDF, Word, Excel, etc. files. This is a good solution, but you need to be careful when using it, because it can introduce a significant amount of additional load onto CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: Login/Password screen
Kevin How is CGi.remote_user set? Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 16:04 To: CF-Talk Subject: RE: Login/Password screen It's not a browser issue so much as on the server. The server stores a set of cgi.something variables that can be asked for by CF. We used to use cgi.auth_user, but when we switched over to Apache, that wasn't a valid cgi variable anymore. Now we use cgi.remote_user. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 9:36 AM To: CF-Talk Subject: RE: Login/Password screen That's a good idea, does cgi.remoteuser work with all major browsers or just i.e.? Thanks Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:33 To: CF-Talk Subject: RE: Login/Password screen Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. We've been using the server level authentication and then using cf to check against the cgi.remote_user to see who it is. That means that ANY attempt to get in at that protected area has to be authenticated against with the server. -Kevin -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 6:43 AM To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
RE: Login/Password screen
The server sets it when the person authenticates to the server login. So you just define the directory as restricted in the web server configuration, then when a person requests anything in that directory or lower, the web server intercepts it before anything else does and asks for a login. The CF app can then read the #cgi.remote_user# variable and compare that against a database of users for personalization if you like. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 11:19 AM To: CF-Talk Subject: RE: Login/Password screen Kevin How is CGi.remote_user set? Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 16:04 To: CF-Talk Subject: RE: Login/Password screen It's not a browser issue so much as on the server. The server stores a set of cgi.something variables that can be asked for by CF. We used to use cgi.auth_user, but when we switched over to Apache, that wasn't a valid cgi variable anymore. Now we use cgi.remote_user. -Kevin -Original Message- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 9:36 AM To: CF-Talk Subject: RE: Login/Password screen That's a good idea, does cgi.remoteuser work with all major browsers or just i.e.? Thanks Kola -Original Message- From: Kevin Graeme [mailto:[EMAIL PROTECTED]] Sent: 13 December 2002 14:33 To: CF-Talk Subject: RE: Login/Password screen Keep in mind that a CF based authentication system is only checked against if the user hits a CFM page. That's fine for certain types of projects, but not for actual file security. So if you have a directory of images in the secure area, a person could link directly to an image and bypass the login altogether because a .gif doesn't reference the Application.cfm first. We've been using the server level authentication and then using cf to check against the cgi.remote_user to see who it is. That means that ANY attempt to get in at that protected area has to be authenticated against with the server. -Kevin -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 6:43 AM To: CF-Talk Subject: Login/Password screen Hi, I know there are alot of custom tags out there that will do what I'm looking for but I want the best one. So this is why I'm asking all of you hoping you've had some experience with some of them. I'd like everything stored in a database. I know some don't do that. Bascially, once the user enters in their username/password they are redirected to a URL on the server based on the authentication. I have one called CF_EzPassword but was wondering if there are any better ones? Thanks --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
