Authentication Using ColdFusion MX

Authentication ensures that only valid users can access applications. ColdFusion maintains the user identification information while the user is logged in. Authorization ensures that the valid user who has logged in is allowed to use a page or perform an operation.

While authentication is an individual user-level process, authorization is common for a group of users having a common characteristic. For example, all the members of a department in a company would have similar authorization to use the applications, while each member would have a different username and password for authentication.

Using ColdFusion Authentication Tags and Functions

ColdFusion provides the following tags and functions for authentication:

• <CFLOGIN>. Acts as a container for the user authentication and login code. The body of the tag runs only if there is no logged-in user. When a new user logs on to an application, <CFLOGIN> checks the user-provided ID and password against a data store of login identification, which can be a data source or an LDAP directory.

• <CFLOGINUSER>. Identifies the authenticated user to ColdFusion. It's used to specify the user's name, password, and role, and is used inside the <CFLOGIN> tag. The role attribute is a comma-delimited list of identifiers.

• <CFLOGOUT>. Removes the current instance of the name of the user and his roles from the server. It doesn't take in any attribute and doesn't have a body.

• ISUSERINROLE. Returns TRUE if the current user is a member of the specified role.

• GETAUTHUSER. Returns the identity of the currently logged in user.

Using the <CFLOGIN> and <CFLOGINUSER> Tags

The <CFLOGIN> tag is used in conjunction with the <CFLOGINUSER> tag. The syntax for the <CFLOGIN> tag is as follows:

 <CFLOGIN     IDLETIMEOUT= "value"     APPLICATIONTOKEN = "token"     COOKIEDOMAIN = "domain"     <CFLOGINUSER       NAME = "name"       PASSWORD = "password-string"       ROLES = "roles">     > </CFLOGIN> 

The <CFLOGIN> tag has the following optional attributes that control the characteristics of a ColdFusion login:

• IDLETIMEOUT. Logs the user out if no page requests occur during the period specified in this attribute. The default value is 1,800 seconds.

• APPLICATIONTOKEN. Limits the login validity to a specific application, as specified by the <CFAPPLICATION> tag. The default value is the current application name.

• COOKIEDOMAIN. Serves as the Internet domain for which the ColdFusion security cookie is valid. By default, there are no domain limitations.

The login identification created by the <CFLOGIN> tag is valid only for pages within the directory that contain the page with the tag and its subdirectories. If the user requests a page in another directory tree, the current login credentials are invalid. This feature allows you to use the same username and password for different sections of your application.

The APPLICATIONTOKEN value generates a unique identifier that enforces this rule. The default value is the current application name, as specified by the <CFAPPLICATION> tag. The COOKIEDOMAIN attribute limits the login capabilities to users from a specific domain.

The <CFLOGIN> tag has a built-in structure that contains two variables: CFLOGIN.NAME and CFLOGIN.PASSWORD. These variables contain the user ID and password when the <CFLOGIN> tag body is executing in response to

• A user logging on to the browser's basic login page.

• A user logging on to an application login form that contains the j_user-name and j_password input fields.

The following example shows a simple authentication using the <CFLOGIN> tag in the Application.cfm page:

 <CFLOGIN> <CFLOGINUSER     NAME  = "username"     PASSWORD ="userpassword"     ROLES = "control"> </CFLOGIN> <CFOUTPUT>Authorized user: #getAuthUser()#</cfoutput> <CFOUTPUT> <CFOUTPUT>Authorized user: #getAuthUser()#</cfoutput> 

The body of this tag executes only if there's no logged-in user. The body of the <CFLOGIN> tag must use the <CFLOGINUSER> tag to establish the authenticated user's identity in ColdFusion.

When the <CFLOGINUSER> tag is used within a <CFLOGIN> tag, ColdFusion stores a login token in a memory-only browser cookie. If you need to use the <CFLOGIN> tag to check an authenticated user, the user must have enabled memory-only cookies in the browser. The login cookie doesn't last after the user closes the browser. The <CFLOGINUSER> tag can also be used without cookies, but the login information remains in effect only for the current page.

Using the <CFLOGOUT> Tag

The <CFLOGOUT> tag functions while the current user logs out. If you don't use this tag, the user is logged out automatically when the session ends. The <CFLOGOUT> tag usually functions in response to the user clicking a logout link or button, or when the user closes the browser.

An example of the <CFLOGOUT> tag is as follows:

 <CFLOGIN>   <CFLOGINUSER     NAME  = "username"     PASSWORD ="userpassword"     ROLES = "control"> </CFLOGIN> <CFOUTPUT>Authorized user: #getAuthUser()#</cfoutput> <CFLOGOUT> <CFOUTPUT>Authorized user: #getAuthUser()#</cfoutput> 

Using the ISUSERINROLE and GETAUTHUSER Functions

ISUSERINROLE determines whether an authenticated user belongs to the specified role. It returns the value TRUE if the authenticated user belongs to the specified role.

The syntax for the ISUSERINROLE function is as follows:

 ISUSERINROLE("role_name") 

The role_name parameter is the name of a security role. For example, the following code checks whether the security role is for the administrator or a user:

 <CFIF ISUSERINROLE("Admin")>     <CFOUTPUT>Authenticated user is an administrator</CFOUTPUT> <CFELSE ISUSERINROLE("User")>     <CFOUTPUT>Authenticated user is a user</CFOUTPUT> </CFIF> 

The GETAUTHUSER function returns the name of an authenticated user. For example:

 <H3>Example of GETAUTHUSER</H3> <P>Authenticated User: <CFOUTPUT>GETAUTHUSER()</CFOUTPUT> 

Basic Authentication and Application Authentication

ColdFusion supports basic and application authentication. Basic authentication requires the user to log on to access pages in a particular directory. In application authentication, the user authentication and authorization happens at the application level itself. These two processes are discussed in this section.

Web Server Basic Authentication

All the major Web servers support basic authentication, also known as basic HTTP authentication. You can use the Web server basic authentication without using any ColdFusion security features. Using the basic authentication process, you can only perform directory-based user authentication.

The process of basic authentication is as follows:

1. When the user requests a page in the secured directory, the Web server presents the user with a login page.

2. The user fills in the login page and submits it.

3. The Web server checks the user's login ID and password.

4. If the user logs in successfully, the browser caches the authentication information. The information is also sent with every subsequent page request from the user.

5. The Web server processes the requested page from the browser with the cached login information. It checks the validity of the information for each requested page.

Authentication can also be implemented using ColdFusion security tags and functions. In this case, you rely on the Web server for user authentication, and your application doesn't have to display a login page.

The process of authentication using ColdFusion security tags and functions is as follows:

1. When the user requests a page in the secured directory, the Web server presents the user with a login page. The Web server performs the entire user authentication.

2. The Web server sends the request to ColdFusion.

3. ColdFusion runs the contents of the Application.cfm page before it runs the requested page. The Application.cfm page contains the <CFLOGIN> tag that gets executed if the user isn't logged on to ColdFusion already.

4. The <CFLOGIN> tag uses the user information from the browser login. The <CFLOGIN> tag body calls the <CFLOGINUSER> tag to identify the user to ColdFusion. Application.cfm completes the processing.

5. ColdFusion processes the requested application page. The application pages use the ISUSERINROLE function before they run any protected code meant for users in a particular role.

Application Authentication

In application authentication, the application displays the login page and the user authentication data is matched with the data in the application's database.

The user is logged in using the <CFLOGINUSER> tag, and then the application uses the ISUSERINROLE and GETUSERNAME functions to check the identity before running a ColdFusion page. The process of authentication is as follows in this case:

1. When the user requests a page, ColdFusion runs Application.cfm before running the requested page. Then, the same steps are followed as outlined for the basic authentication.

2. The code in the <CFLOGIN> tag checks the login form data for the user identity and password. If the login information hasn't been received, the login form is again displayed by the code in the <CFLOGIN> tag body.

3. The <CFLOGIN> tag body validates the user information against an NT domain, an ODBC data source, or a Lightweight Directory Access Protocol (LDAP) directory.

4. If the user information is valid, the <CFLOGINUSER> tag is executed to identify the user to the ColdFusion session.

5. ColdFusion processes the requested application page. The application page displays a link to the logout form that uses the <CFLOGOUT> tag to log out the user.

6. The application uses the <CFLOGOUT> tag to log out the user when the user clicks the logout link. The user then closes the browser.