|
|
Using the Dreamweaver Login Wizard
ColdFusion installs a Login Wizard
command in the Dreamweaver Commands menu that generates a skeleton
set of pages for managing user authentication and authorization.
The wizard asks you to select how to authenticate the login information.
Select one of the following options:
Simple Specify a single user ID and password in
the wizard. All users must enter this information to log in. Use
this option for testing, or use the generated files as a template
where you can replace the authentication code with more complex
code. For example, to verify the ID and password against a database.
NT domain Specify an NT domain in the wizard, and
the wizard generates code that queries the domain.
LDAP Specify the LDAP server and port, the user name
and password required to access the login data, and the distinguished
name to use to start the search for the user name. The wizard generates
the code to query the LDAP server with the user ID and password.
The wizard asks you to select one of the following options for
displaying the request for login information:
Browser Dialog Box
ColdFusion Login Form
Structure code generated by the Login WizardThe
wizard generates or modifies the following files in the directory
or site that you specify:
- Application.cfc
- If this file does not exist, the wizard
creates it with a single onRequestStart method;
it does not specify an application name or any other methods. If
the file exists, but does not have an onRequestStart method,
it adds the method. If Application.cfc and the onRequestStart method
exist, the wizard inserts the required code at the beginning of
the method. The resulting onRequestStart method
has a cfinclude tag that specifies mm_wizard_application_include.cfm;
it also has a simple form with a logout button, which appears at
the top of each page in the application.
- mm_wizard_application_include.cfm
- The
Login Wizard uses the information specified in the wizard fields
to set several CFC method arguments. It then uses them to invoke
the performlogin method of the master login CFC, mm_wizard.authenticate.
- mm_wizard_authenticate.cfc
- This
CFC contains all of the user authentication and login logic. The
CFC consists of the following methods:
The ntauth,
ldapauth, and simpleauth authentication methods check the user’s
name and ID against the valid login information, and return information about
whether the user is authenticated. For the details of how they authenticate
the user and the specific return values, see the methods.
The performLogin method is the master login method. It contains
the cflogin tag, which displays the login form
and calls the required authentication method. If the authentication
method’s return argument indicates a valid user, the method logs
the user in.
The logout method logs out a user. If you specified Browser
Dialog Box as the login page type, it also calls the closeBrowser
method to close the browser window. This behavior is necessary because
the browser continues to send the old login credentials after the
user logs out, and the cflogin tag will automatically
use them and log the user in again.
The closeBrowser method closes the browser window or tells
the user to close the browser window to complete the logout, depending
on the browser type.
- mm_wizard_login.cfm
- This
file contains a ColdFusion login form. The wizard generates this
file for all options, but does not use it if you specify Browser
Dialog login.
- index.cfm or mm_wizard_index.cfm
- The
wizard generates an index.cfm page if the directory does not have
one; otherwise, creates an mm_wizard_index.cfm page. These pages
let you test the generated login code before you implement your
application, or without using any of your standard application pages.
To test your login, open the index.cfm page in your browser.
Modifying the login code for your applicationThe
Login Wizard creates a basic framework for authenticating a user.
Customize this framework to meet the needs of your application.
Typical security-related changes include the following:
Providing user-specific role informationThe Login Wizard sets all users in a single role. In mm_wizard_authenticate.cfc, the
performlogin method is hard-coded to set the role to “user.” The
authentication routines handle roles differently. (For the details,
see the mm_wizard_authenticate.cfc code.) If your application uses
roles for authorization, change the authentication method to get
and return valid role information, and change the performlogin method
to use the information in the roles attribute of
its cfloginuser tag.
Authenticating users against a databaseIf you use a database to maintain user
IDs and passwords, create your login framework by specifying simple
authentication, and modify the code to use the database. The following
instructions describe a simple way to change the code to use a database.
They do not include all the cleanup work (particularly, removing
the hard-coded user name and password) needed for a well-formatted application.
Replace the following code:
<cfif sUserName eq uUserName AND sPassword eq uPassword>
<cfset retargs.authenticated="YES">
<cfelse>
<cfset retargs.authenticated="NO">
</cfif>
<cfreturn retargs>
With code like the following:<cfquery name="loginQuery" dataSource="#Application.DB#" >
SELECT *
FROM Users
WHERE UserName = <cfqueryparam value="#uUserName#" CFSEQLType=
'CF_SQL_VARCHAR'AND password = <cfqueryparam value="#uPassword#"
CFSEQLType='CF_SQL_VARCHAR'>
</cfquery>
<cfif loginQuery.recordcount gt 0>
<cfset retargs.authenticated="YES">
<cfset retargs.roles=loginQuery.roles>
<cfelse>
<cfset retargs.authenticated="NO">
</cfif>
<cfreturn retargs>
Note: For greater security, consider using a hashed
password. Do not store the password directly in the database; instead,
use the hash function to create a secure password
fingerprint, and store it in the database. When the user provides
a password, use the Hash function on the submitted string
and compare it with the value in the database.
|
