Use a browser dialog box to get user information

Application authentication does not require you to use a login form; you can rely on the browser to display its standard login dialog box, instead. To do so, your cflogin tag body returns an HTTP status 401 to the browser if the user is not logged in or if the login fails; that is, if it does not have a valid cflogin structure. The browser displays its login dialog box. When the user clicks the login button on the dialog box, the browser returns the login information as an HTTP Authorization header to ColdFusion, which places the information in the cflogin tag’s cflogin structure.

This technique has the advantage of simplicity; you do not need a login form and the user gets a familiar-looking login page. Be careful of security issues, however. The browser sends the user name and password in a base64-encoded string, not just when the user logs in, but with each request. Use SSL (Secure Sockets Layer) for all page transactions to protect the user ID and password from unauthorized access.

Note: Ensure that your web server is configured correctly to support browser-based login forms for this use. For example, in IIS 5, enable anonymous access and disable Basic authentication and Integrated Windows authentication.

The following cflogin tag tells the browser to display a login form if the user has not logged in:

<cflogin> 
    <cfif NOT IsDefined("cflogin")> 
        <cfheader statuscode="401"> 
        <cfheader name="www-Authenticate" value="Basic  
            realm=""MM Wizard #args.authtype# Authentication"""> 
    </cfif> 
    <cfabort> 
    <cfelse> 
        <!--- code to authenticate the user based on the cflogin.user and 
            cflogin.password values goes here. ---> 
</cflogin>