Hey Hollywood. Ok, what you need are a few files. These should get you started. Put them all in the root directory of your website.
I tried to give explanations for all of them, and you'll have to eventually tailor them to your needs, but try putting them up and see how it goes to start. After putting them all up, trying them out, and looking at the code a little, then the explanations might make more sense. The most complex file is probably Application.cfc, but fear not, even that one is short.
If you just go straight to copying and pasting, the username / password are both 'test'.
- Has the settings that enable session management, and takes care of redirecting any "non logged-in" users back to the login page. Session management is needed because we need to keep track of the user's visit to the website. In this case, we want to keep track of if the user is logged in or not.
<cfset this.name = "MyApplication">
<cfset this.applicationTimeout = createTimeSpan( 2, 0, 0, 0 )> <!--- 2 Days --->
<cfset this.sessionManagement = true>
<cfset this.sessionTimeout = createTimeSpan( 0, 0, 20, 0 )> <!--- 20 min --->
<cfset this.setClientCookies = true>
<cfset session.loggedIn = false>
<cfargument name="targetPage" type="string" required="true">
<!--- If the user is not logged in, and they are not on the login or login processing page,
then redirect them back to login.cfm --->
<cfif NOT session.loggedIn AND targetPage neq "/login.cfm" AND targetPage neq "/login_process.cfm">
This component has two functions: onSessionStart
, and onRequestStart
. These are two special "event handler" functions that are recognized by ColdFusion, and are run when those events occur.
runs when a user first visits any page on your website. It won't be run again for that given user until the user's session expires (in 20 minutes), and they re-visit your site. Here, we simply initialize a session variable of loggedIn
to false. This will be set to true once the user has entered valid credentials.
runs right before every request for a web page on your site. This is the best place to put any "security" code. The security code simply checks if the user is logged in or not, and redirects them back to the login page if they are not. (Note that it must also make sure that the user is not already on the login.cfm page. If it doesn't do that, the <cflocation> tag will keep redirecting to login.cfm, and cause a redirect loop.)
- Has the form for the user to enter their username and password. If the user tries to access any other page when they are not logged in, they will be redirected back here (as you wouldn't want the user accessing any "protected" pages until they are logged in).
I also included a little code on this page for if login_process.cfm finds that the username/password is invalid and redirects the user back here, it will give the user a message.
<cfif isDefined( 'url.invalidLogin' )>
<font color="red">You have entered an invalid username/password. Please try again.</font>
<form action="login_process.cfm" method="post">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Login">
- This is the target of the form submission in login.cfm. This file checks the entered username and password against the database, and determines if the user should be let in. For now, I just put in a simple if statement that checks for username 'test' and password 'test'. This is where you would query the database, and determine if the user is in your users table.
If the username and password are invalid, the user is redirected back to login.cfm, with a variable in the url specifying just that.
<cfif form.username eq 'test' AND form.password eq 'test'>
<cfset session.loggedIn = true>
- The page that the user comes to if they have successfully been logged in. This page will not be accessible until the user is logged in. This is enforced by the onRequestStart
function in Application.cfc.
Welcome Member! You would not be able to access this page if you were not logged in.<br><br>
To test this, try logging out, and typing the URL for this page into the address bar. You should
be automatically redirected back to login.cfm in this case.<br><br>
(Optional) - Simply sets session.loggedIn
back to false to log the user out, and redirects him/her back to login.cfm.
<cfset session.loggedIn = false>
Note that you may need an index.cfm
file in your webroot directory too for the initial redirect to work. It can just be blank for now.
Let me know how it goes, and if you need any more help / explanation of how something is working.