10 Replies Latest reply on Jun 25, 2014 9:34 AM by BKBK

    Password Protect all .cfm files in a directory?

    seasonedweb

      Greetings

       

      Can anyone share the code one one put within the application.cfm to password-protect all the files in that directory?

       

      The UN & PW are stored in a DB - of course I could create a session_ID and protect each page individually, which I have been doing for years, but in this case, the pages are being loaded using a half-*ss CMS and the users, other than saving files as .cfm, will not be responsible to leave the code on each page.

       

      In the DB, the user name is subscriber_email, the password is subscriber_password.

       

      Thanks for any help.

        • 1. Re: Password Protect all .cfm files in a directory?
          BKBK Adobe Community Professional & MVP

          It is unclear what you wish to password-protect against. Accessing the directory? Writing a file into it? Opening a file in it? Requesting a CFM file in it by means of the browser?

          • 2. Re: Password Protect all .cfm files in a directory?
            seasonedweb Level 1

            Thank you for your reply.

             

            The administrator will be uploading files to the directory via FTP. His access is controlled at that point.

             

            Users need to sign up via a form and pay a fee. Once they are approved, they should be able to access all the CFM files in that directory via their browser.

             

            Again, I have accomplished this for years by simply creating a session ID, and,  at successful login protected every page individually:

             

            <CFIF NOT IsDefined("Session.user_id")>

            <cflocation url="login.cfm" addtoken="No">

            <cfelse>

            webpage

            </cfelse>

             

            but never had admins in control of uploading web pages that are unfortunately poorly coded and could never be responsible to add the above code to each page.

             

            What is your advice?

             

            Thanks again

             

            Norman

            • 3. Re: Password Protect all .cfm files in a directory?
              BKBK Adobe Community Professional & MVP

              You have to add the above code to just one page, namely, Application.cfm. In other words, your approach remains valid.

              • 4. Re: Password Protect all .cfm files in a directory?
                seasonedweb Level 1

                SO then this would be within application.cfm:

                 

                <CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

                        SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

                        FROM     main

                        WHERE     subscriber_email = '#Trim(form.subscriber_email)#'

                        AND        subscriber_password = '#Trim(form.subscriber_password)#'

                    </CFQUERY>

                   

                <!--- If user not found send back to login page. --->

                <CFIF auth_admin.RecordCount EQ 0>

                <cflocation url="login.cfm?msg=1" addtoken="No">

                <cfabort>

                <cfelse>

                <!--- Set session vars --->

                <cflock scope="SESSION" type="EXCLUSIVE" timeout="3">

                 

                <cfset session.user_id = "#auth_admin.subscriber_ID#">

                <cfset session.fname    = "#auth_admin.subscriber_fname#">

                <cfset session.logged = true>

                </cflock>

                <cflocation url="index.cfm" addtoken="No">

                </cfif>

                 

                and this would protect all cfm pages in the directory?

                 

                It seems as if it would not be necessary to create  a session.user_id?

                • 5. Re: Password Protect all .cfm files in a directory?
                  BKBK Adobe Community Professional & MVP

                  Yes, you could do it without sessions. For example, use the cflogin framework in Application.cfm. You should set, beforehand, loginStorage="session" in the cfapplication tag.

                   

                  <cflogin>

                      <cfif getAuthUser() is "" and NOT isDefined("form.subscriber_email")><!--- User unauthenticated and not coming from login.cfm --->

                          <cfinclude template="login.cfm?msg=1">

                          <cfabort>

                      <cfelseif isDefined("form.subscriber_email")>

                      <CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

                              SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

                              FROM     main

                              WHERE     subscriber_email = <cfqueryparam value='#Trim(form.subscriber_email)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                              AND        subscriber_password = <cfqueryparam value='#Trim(form.subscriber_password)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                      </CFQUERY>

                   

                      <cfif auth_admin.recordcount gt 0>

                          <cfloginuser name = "#auth_admin.subscriber_email#" password = "#auth_admin.subscriber_password#" roles = "admin,poweruser" >

                      <cfelse>

                          <cfinclude template="login.cfm?msg=1">

                          <cfabort>

                      </cfif>       

                      </cfif>

                  </cflogin>

                   

                  Instead of a session variable, the test variable then becomes getAuthUser(). If the user is unauthenticated, getAuthUser() will be an empty string. Also, Coldfusion will only run the cflogin tag if the user is unauthenticated. The cfloginuser tag logs the user in. Once that happens, getAuthUser() assumes the value #auth_admin.subscriber_email#.

                   

                  Some caveats. You will see that I am using cfinclude instead of cflocation. Using cflocation in Application.cfm can be problematic. Since the Application file is included at the beginning of every request, using cflocation in it might result in a request repeating indefinitely.

                  • 6. Re: Password Protect all .cfm files in a directory?
                    seasonedweb Level 1

                    Hello

                    What is happening now is regardless if the username and password are correct, it sends to user back the the login page (there is no application.cfm file in the top directory, nor would this matter because the login form is an html file).)

                     

                    This is how I set up the application.cfm:

                     

                    <cfapplication name="xxxx"

                        clientmanagement="Yes"

                        loginStorage="session"

                        sessionmanagement="Yes"

                        sessiontimeout="#CreateTimeSpan(0,0,20,0)#"

                        SetClientCookies="Yes">

                       

                    <cfparam name="Request.BaseDSN" default="xxxx">

                     

                    <cflogin>

                     

                    <cfif getAuthUser() is "" and NOT isDefined("form.subscriber_email")>

                       

                    <!--- User unauthenticated and not coming from login.html --->

                       

                    <!--- send user back to an html login page in the top directory with no application.cfm file --->

                     

                    <cfinclude template="../login.html">

                    <cfabort>

                           

                    <!---  User authenticated   --->

                     

                        <cfelseif isDefined("form.subscriber_email")>

                     

                        <CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

                     

                                SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

                     

                                FROM     main

                     

                                WHERE     subscriber_email = <cfqueryparam value='#Trim(form.subscriber_email)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                     

                                AND        subscriber_password = <cfqueryparam value='#Trim(form.subscriber_password)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                     

                        </CFQUERY>

                     

                    <cfif auth_admin.recordcount gt 0>

                     

                    <cfloginuser name = "#auth_admin.subscriber_email#" password = "#auth_admin.subscriber_password#" roles = "admin,poweruser">

                           

                    <!--- Authenticated User can now browse .cfm files in this subdirectory  --->   

                           

                    <cfinclude template="index.cfm">

                    <cfelse>

                    <!--- ???? did we do this already ??? --->   

                    <cfinclude template="../login.html">

                    <cfabort>

                    </cfif>      

                    </cfif>

                    </cflogin>

                     

                    <cfcontent type="text/html; charset=utf-8">

                    <cfscript>

                    SetEncoding("form","utf-8");

                    SetEncoding("url","utf-8");

                    </cfscript>

                    • 7. Re: Password Protect all .cfm files in a directory?
                      BKBK Adobe Community Professional & MVP

                      You might later need to add CFML code to the login page to extend its functionality. So, to start with, you should rename the login page to login.cfm. Otherwise, it is not a ColdFusion page. You may rename it from HTML to CFM without changing its content.

                       

                      On to the main business. If you continue to see the login page, then Coldfusion must be running the cflogin tag. It implies that the user is not yet logged in, which in turn implies that the cfloginuser tag has yet to run. This suggests the query's recordcount is 0.

                       

                      To test this hypothesis, temporarily delete the query's where-clause. What happens then?

                       

                      There is another point. The cflogin framework is strictly for authentication. I would therefore put the following code elsewhere:

                       

                      <!--- Authenticated User can now browse .cfm files in this subdirectory  --->          

                      <cfinclude template="index.cfm">

                       

                      In fact, so long as the user is logged in, Coldfusion wont run the tag cflogin. The page index.cfm will therefore not be included. That is actually the opposite of what you want.

                       

                      One solution is to place the following code at a suitable location after the cflogin end-tag:

                       

                      <cfif getAuthUser() is not "">

                      <!--- Authenticated User can now browse .cfm files in this subdirectory  --->         

                      <cfinclude template="index.cfm">

                      </cfif>

                      • 8. Re: Password Protect all .cfm files in a directory?
                        seasonedweb Level 1

                        BKBK: Hello again

                         

                        I was under the impression that this method of protecting everything in the directory from being accessed unless the username and password were correct would also apply to the login.cfm page itself if the file resided in the same directory. That's why I kept it as an HTML file.

                         

                        So I put the login form page back in the directory as login.cfm with application.cfm and this is the code:

                         

                        <cfapplication name="xxxx"

                            clientmanagement="Yes"

                            loginStorage="session"

                            sessionmanagement="Yes"

                            sessiontimeout="#CreateTimeSpan(0,0,20,0)#"

                            SetClientCookies="Yes">

                           

                            <cfparam name="Request.BaseDSN" default="xxxx">

                         

                        <cflogin>

                        <cfif getAuthUser() is "" and NOT isDefined("form.subscriber_email")>

                           

                        <!--- User unauthenticated and not coming from login.cfm --->

                           

                        <!--- send user back to login page --->

                         

                        <cfinclude template="login.cfm">

                        <cfabort>

                               

                        <cfelseif isDefined("form.subscriber_email")>

                         

                        <CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

                         

                                    SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

                                    FROM     main

                                    WHERE     subscriber_email = <cfqueryparam value='#Trim(form.subscriber_email)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                                    AND       subscriber_password = <cfqueryparam value='#Trim(form.subscriber_password)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                         

                            </CFQUERY>

                         

                         

                        <cfif auth_admin.recordcount gt 0>

                        <!--- User authenticated   --->

                         

                        <cfloginuser name = "#auth_admin.subscriber_email#" password = "#auth_admin.subscriber_password#" roles = "admin,poweruser">

                               

                        <cfif getAuthUser() is not "">

                         

                        <!--- Authenticated User can now browse .cfm files in this sub-directory  --->         

                        <cfinclude template="index.cfm">

                         

                        </cfif>

                        </cfif>      

                        </cfif>

                        </cflogin>

                         

                        This does not work- it simply sends me back to the login page regardless.

                         

                        BTW the form is set: <form action="index.cfm" method="POST">

                         

                        Thanks for your continued help with this.

                        • 9. Re: Password Protect all .cfm files in a directory?
                          BKBK Adobe Community Professional & MVP

                          You apparently misunderstood my suggestion to place the last cfinclude code outside the cflogin tag. In any case, it doesn't matter now, given the current information. Since index.cfm is the action page of the login form, it should not be cf-included. If login is successful, the form will post to index.cfm anyway, which is effectively a new request.

                           

                          <cflogin>

                               <cfif getAuthUser() is "" and NOT isDefined("form.subscriber_email")>

                                    <!--- User unauthenticated and not coming from login.cfm --->

                                    <!--- send user back to login page --->

                                    <cfinclude template="login.cfm">

                                    <cfabort>    

                               <cfelseif isDefined("form.subscriber_email")>

                           

                                    <CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

                                           SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

                                           FROM     main

                                           WHERE     subscriber_email = <cfqueryparam value='#Trim(form.subscriber_email)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                                           AND       subscriber_password = <cfqueryparam value='#Trim(form.subscriber_password)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                                   </CFQUERY>

                           

                                    <cfif auth_admin.recordcount gt 0>

                                         <!--- User authenticated   --->

                                         <cfloginuser name = "#auth_admin.subscriber_email#" password = "#auth_admin.subscriber_password#" roles = "admin,poweruser">

                                    </cfif>

                               </cfif>   

                          </cflogin>

                           

                          Now, ensure that there is a text field named subscriber_email in the form. Verify spelling! Also verify that the values of the (subscriber_email, subscriber_password) pair that you use in testing actually exist in the database table.

                          • 10. Re: Password Protect all .cfm files in a directory?
                            BKBK Adobe Community Professional & MVP

                            Oh, and there is also the logout page, to log the logged-in user out. You could include a condition in the application file to place a logout link on every page. For example,

                             

                            <cfif getUserAuth() is not "">

                            <a href="logout.cfm" title="Log out">Log out</a>

                            </cfif>

                             

                            The content of logout.cfm is:

                             

                            <cflogout>