Getting the user ID and password

The cflogin tag has a built-in cflogin structure that contains two variables, cflogin.username and cflogin.password, if the page is executing in response to any of the following:

  • Submission of a login form that contains input fields with the names j_username and j_password.

  • A request that uses HTTP Basic authentication and, therefore, includes an Authorization header with the user name and password.

  • A message from the Flash Remoting gatewayConnection object that has the setCredentials method set.

  • A request that uses NTLM or Digest authentication. In this case, the user name and password are hashed using a one-way algorithm before they are placed in the Authorization header; ColdFusion gets the user name from the web server and sets the cflogin.password value to the empty string.

You use the first three techniques with application authentication, and the last technique with web server authentication. The cflogin structure provides a consistent interface for determining the user’s login ID and password, independent of the technique that you use for displaying the login form.

Important: Login forms send the user name and password without encryption. Basic HTTP authentication sends the user name and password in a base64-encoded string with each request; this format can easily be converted back to plain text. Use these techniques only with https requests, or when you are not concerned about password security.

Provide login information to your application for authentication as follows: