Application security is implemented using three CFML tags:
The <cflogin> TagWhen you implement application security, your application must have code that determines whether a user is logged in and responds or takes action as necessary. Rather than check this manually, you can use the <cflogin> tag to define a block of code that is executed only if no user is logged in. To secure applications safely, the security code must always be executed; as such, it should be placed in an Application file.
The following snippet shows the code that would be executed based on whether a user is logged in: <cflogin> Any code here will be executed only if not logged in </cflogin> Any code here will be executed for all requests The <cflogin> tag itself does not log users in or out; it simply marks a block of code that will be executed if no user is logged in (or if a user's login has timed out). Within <cflogin> you can place any code needed, including redirecting to login forms. The <cfloginuser> TagTo log a user in to the security system, use the <cfloginuser> tag. <cfloginuser> does not perform authentication; your code should do that using whatever code is necessary (<cfquery> to authenticate against a database, <cfldap> to authenticate against an LDAP server, <cfntauthenticate> to authenticate against NT domains and Active Directory, <cfinvoke> to authenticate with a component or Web Service, and so on). Once your code has determined that a user has been authenticated correctly, use the <cfloginuser> tag to pass the user information (name, password, and role) to the security framework. The basic code flow is like this: <cflogin> ... Authentication code goes here ... ... Code to find roles goes here ... <cfloginuser name="#FORM.login#" password="#FORM.password#" roles="#roles#"> </cflogin> It is also possible to rely on the Web server to perform the authentication, in which case the ColdFusion cflogin structure will be populated with login information automatically. The following snippet logs a user in to the application using Web server-provided information (roles will not be returned by the Web server): <cflogin> ... Code to find roles goes here ... <cfloginuser name="#CFLOGIN.name#" password="#CFLOGIN.password#" roles="#roles#"> </cflogin> NOTE To force the Web server to generate a login dialog (so that you do not have to create one manually), use the following code: <cfsetting enablecfoutputonly="yes" showdebugoutput="no"> <cfheader statuscode="401"> <cfheader name="WWW-Authenticate" value="Basic realm=""MyRealm"""> <cfoutput>Authorization failed</cfoutput> Replace the realm name with one of your own, and customize the failure message if needed. ColdFusion detects the presence of two special form fields, j_username and j_password. If these are present (the names used in your own login form), ColdFusion will use them automatically and will populate CFLOGIN with them. Once a user has been logged in, you can use <cffunction> and IsUserInRole() to implement access control as described below. The <cflogout> TagUser logins time out automatically. To force an immediate logout (perhaps in response to a user clicking a Logout option), use the <cflogout> tag. |