11 Replies Latest reply on Dec 29, 2006 7:12 AM by coldfuse228

    Is it common to use cflogin ?

    coldfuse228 Level 1
      Hi, I'm using cflogin for my login/logoff actions inside my application.cfm(sample pasted below). There is basically only a few users on this app. I'm new to coldfusion so my questions are:

      1. Is this a new common practice to use cflogin?

      2. In firefox, every time I login, I see a cookie generated, but in IE, I don't seem to see a cookie being generated so how come it still works in IE, is cookie hidden?

      Thanks so much for your help,
      C

      My sample cflogin code:
      <cflogin>
      <cfif NOT IsDefined("cflogin")>
      <cfinclude template="loginform.cfm"> <cfabort>
      <cfelse>
      <cfif cflogin.name eq "admin">
      <cfset roles = "user,admin">
      .......
        • 1. Re: Is it wise to use cflogin ?
          Level 7
          1. Is this a new common practice to use cflogin?

          There where some issues with the early implementations of cflogin, but I
          believe they have been patched. Unfortunately, I don't use it much
          because most of my user verifications and validation go beyond the
          capabilities of cflogin and we use our own system.

          2. In firefox, every time I login, I see a cookie generated, but in
          IE, I don't seem to see a cookie being generated so how come it still
          works in IE, is cookie hidden?

          Cookies are created in all browsers or the cfide/cftoken values must be
          passed through the URL, otherwise CF doesn't know what requests belong
          to what user. These can be "memory" cookies that are not going to
          persist beyond the closing of the browser, so they are not written to
          files, so maybe IE doesn't show memory cookies. I do not know.
          • 2. Re: Is it common to use cflogin ?
            Dan Bracuk Level 5
            I have one application where I use cflogin. It works well. My audience is intranet and we don't support Firefox. I use cfcookie to set the cookie.

            In my application, I have a logout page. The reason I mention it, is, where you have this:
            <cfif NOT IsDefined("cflogin")>
            I have this:
            <cfif isDefined( "cflogin" ) and not cgi.SCRIPT_NAME contains "logout">

            It might be relevent.
            • 3. Re: Is it common to use cflogin ?
              coldfuse228 Level 1
              Hi Ian and Dan, thanks so much for answering my question. I'm using cflogin currently, it seems to work well and thanks for telling me your experiences too.

              Thanks so much,
              C
              • 4. Re: Is it common to use cflogin ?
                coldfuse228 Level 1
                Hi, I have a question regarding expanding my use of cflogin:

                1. In the future, I may have to incorporate roles into my login system, I've seen this code before, I was wondering if you had any comments or experiences on this?

                2. Dan, in my cflogin code in application.cfm, I don't set any cookie (not knowingly), but it still seems to work, is this a problem in my code that I have to investigate ?

                Thanks so much,
                C
                • 5. Re: Is it common to use cflogin ?
                  Level 7
                  1. In the future, I may have to incorporate roles into my login system,
                  I've seen this code before, I was wondering if you had any comments or
                  experiences on this?

                  Yes it can, then you use the isUserInRole() function to determine get a
                  boolean of whether the user is in a given role. This is one of the
                  limitations that prompted us to role our own system. You can ask if a
                  user is in a given role, but you can not ask, what role(s) is a user in.

                  2. Dan, in my cflogin code in application.cfm, I don't set any cookie
                  (not knowingly), but it still seems to work, is this a problem in my
                  code that I have to investigate ?
                  CF automatically sets the needed cookies, CFIDE/CFTOKEN usually. You
                  only need to worry about this if you want to insure that these cookies
                  are temporary memory cookies that expire that the closing of the
                  browser. Otherwise they default to being permanent cookies with
                  temporary values in them.
                  • 6. Re: Is it common to use cflogin ?
                    coldfuse228 Level 1
                    Hi Ian,

                    1. Regarding your response to #1, so that means isUserInRole() can only check if a user is in one particular role. Your own version could do something like isUserInRoles(manager, secretary, admin) ?

                    2. If a user was an manager, secretary, and admin, I would have to do some sort of loop using isUserInRole to test for it?

                    Thanks so much,
                    C
                    • 7. Re: Is it common to use cflogin ?
                      Level 7
                      1. Regarding your response to #1, so that means isUserInRole() can only
                      check
                      if a user is in one particular role. Your own version could do
                      something like
                      isUserInRoles(manager, secretary, admin) ?

                      2. If a user was an manager, secretary, and admin, I would have to do
                      some
                      sort of loop using isUserInRole to test for it?

                      Thanks so much,

                      Exactly and I can also do something like whatRolesDoesUserHave(). I'm
                      pretty sure I have a better function name then that, but it describes it
                      well. For tracking and accountability we like to know exactly what
                      roles are assigned to the user when they did something, not just that
                      they had one specific one.

                      Weird, but that is the way we work.
                      • 8. Re: Is it common to use cflogin ?
                        Dan Bracuk Level 5
                        quote:

                        Originally posted by: coldfuse228
                        Hi, I have a question regarding expanding my use of cflogin:

                        2. Dan, in my cflogin code in application.cfm, I don't set any cookie (not knowingly), but it still seems to work, is this a problem in my code that I have to investigate ?
                        C

                        As I alluded to earlier, logging people out may be a problem.
                        • 9. Re: Is it common to use cflogin ?
                          coldfuse228 Level 1
                          Hi Dan, so after your line:
                          <cfif isDefined( "cflogin" ) and not cgi.SCRIPT_NAME contains "logout">
                          you would then display the login.cfm page
                          and you might have:
                          <cfif isDefined( "cflogin" ) and cgi.SCRIPT_NAME contains "logout">
                          you would then display the logout page?

                          So the difference is mainly that on logoff you would display a logoff page ?
                          Thanks so much Dan for replying back,
                          C
                          • 10. Re: Is it common to use cflogin ?
                            Dan Bracuk Level 5
                            quote:

                            Originally posted by: coldfuse228
                            Hi Dan, so after your line:
                            <cfif isDefined( "cflogin" ) and not cgi.SCRIPT_NAME contains "logout">
                            you would then display the login.cfm page
                            and you might have:
                            <cfif isDefined( "cflogin" ) and cgi.SCRIPT_NAME contains "logout">
                            you would then display the logout page?

                            So the difference is mainly that on logoff you would display a logoff page ?
                            Thanks so much Dan for replying back,
                            C


                            Actually, on my logout page, I run whatever cf code is required to log them off, and then cflocate them to our home page.
                            • 11. Re: Is it common to use cflogin ?
                              coldfuse228 Level 1
                              Hi Dan, thank you for your response. I was wondering about your input about my handling on logoff:

                              1. application.cfm: I have code:
                              <cfif IsDefined("Form.logout")><cflogout></cfif>

                              2. On each page I have this:
                              <cfif GetAuthUser() NEQ "">
                              <cfform name="logoutForm" id="logoutForm" action="index.cfm" ... >
                              <cfinput type="submit" name="Logout" value="Logout" /></cfform>

                              So when user clicks logoff form is submitted and code in application.cfm kicks in. Do you think this is a good way to logoff or any pitfalls in this?

                              Thanks so much,
                              C