In this article we want to secure what we?ve created so that onlypeople with the right login, password and security role can log in andinteract with the back-end admin section. We will focus our attentionon the Application framework, the Application.cfm file, Applicationvariables and how to secure your website with a login and passwordusing , , as well as some related functions: GetAuthUser() and IsUserInRole().

We have our first admin tool, but we don?t want the general public to see it!

Here are the topics that we?re going to cover in this article:

1. The Absence of ?State?
2. Website Application Framework
3. Adding Logins to your Database
4. Application.cfm
5. OnRequestEnd.cfm
6. Securing Your Application with
7. Logging Out with
8. Personalization with GetAuthUser()
9. Security Roles with IsUserInRole()

Bythe end of this article you?ll have a secured portion of your websiterequiring a login & password combination and you will haveestablished security roles based management system. Don?t forget tograb the source code too ? it?s all included just for you!

Ifthis is the first article you?re reading, you may want to check out allmy previous ColdFusion articles because each one from the very firstarticle helps build the website along the way that we will be using inthis article. Each one builds upon the existing website from theprevious article. If you see some code in this website that you areunfamiliar with, there is an article there to help you.

When you download the source-code for this articlethe zip file contains a ?base? code you can use to build what wediscuss in the article as you read it and it also includes a ?solution?code which is a complete code solution from the article. You?ll need tocreate a ColdFusion Dreamweaver MX 2004 site for one or both of thecode bases. I also use a MySQL 4.1 database which I always include amysqldump file in the /db directory. You may want to restore the db andcreate a datasource named okctravel to make full use of this article.

The Absence of ?State?

Theweb is considered to be a stateless environment. If you open up yourweb browser and go to one of your favorite websites and then anotherpage on that same website, you are creating separate HTTP requests froma web server. The web server (by itself) has no way of identifying you.It doesn?t know that you were the same person that requested this newpage. A web server will treat each HTTP request as an individualrequest that needs a response.

The web server needs a way toremember who you are as you travel from one page to the next. In ourcase, we want to secure our website and force users to log into thewebsite. Once they are logged in, we want to remember who they are andnot ask them to log in each time they make a new HTTP request. The webserver itself is not suited for this job and it requires the use ofColdFusion (or other middle-ware languages) in order to do this job.The way that this job is accomplished is through the combined use ofcookies or URL variables & the Application framework.

Firstof all, we need to uniquely identify a user as they come to ourwebsite. When using ColdFusion MX, ColdFusion can automatically createunique identifiers for our users through the use of a CFID &CFToken or a J2EE Session variable ? or both. CFID & CFToken areused in combination. Each of these variables holds a unique number thatwhen the two are matched up internally, ColdFusion can uniquelyidentify a single user instance. J2EE Session variables are a singlelong integer of about 19 numbers.

So ColdFusion will createthese unique identifiers for us, we don?t have to worry about thatpart. The trick will be to make sure that the unique identifier wecreate sticks to the user and that they pass it back to the web serverfor every HTTP request they make. There are only two ways that we canaccomplish that goal. Our users have to be using a web browser that hascookies enabled and we set that unique identifier as a cookie on theuser. When the cookie is set, subsequent page requests to the samedomain send back the cookie(s) and their values. The alternative way,if the user is not using a cookie enabled browser, is that we must passthe unique identifier variables and values as URL variables (or QueryString) in every hyperlink, form submission, redirect () or even JavaScript that directs the user to a new page.

Read More

?