User Guide

Chapter 17: Application Security 271

If a user passes the authentication test, ColdFusion passes a cookie to carry the

user’s authentication state to subsequent application pages governed by this

Application.cfm page.

• Next, only authenticated users are able to access the requested application

page, for selecting and updating customer orders in a database. This page

checks to see which resources the authenticated user is authorized to see and

use.

Authenticating users in Application.cfm

This example code for an Application.cfm page checks first to see whether the

current user is authenticated by checking to see if a login form was submitted. If the

username and password can be authenticated for the current security context, the user

passes through and the requested page is served.

If the Application.cfm page does not receive the user’s login information from the

previous page, it prompts the user to provide a username and password. The user’s

response is checked against the list of valid users defined for the current security

context.

If the user passes the authentication step too, the requested page appears. We use the

CGI variables script_name and query_string keep track of the page originally

requested. This way, once users are authenticated, we can serve the page they

originally requested.

All pages governed by this

Application.cfm page — those in the same directory as

Application.cfm and in its sub-tree — will invoke this authentication test.

Note To use this code in your own Application.cfm page, change the

application name and security context name to match your application

and security names.

Example: Application.cfm

<CFIF IsDefined("form.username") and

IsDefined("form.password")>

<CFTRY>

<CFAUTHENTICATE SecurityContext="Orders"

username="#form.username#"

password="#form.password#"

setCookie="YES">