Table of Contents
Advertisement
If you do not enable the Session scope, the authentication information is not kept in a persistent
scope. Instead, the detailed login information is put in a memory-only cookie
(CFAUTHORIZATION_applicationName) with a base64-encoded string that contains the user
name, password, and application name. The client sends this cookie to the web server each time it
makes a page request while the user is logged-in. If you do not use SSL for all page transactions,
the user ID and password are not protected from unauthorized access.
Using ColdFusion security without cookies
You can implement a limited-lifetime form of ColdFusion security if the user's browser does not
support cookies. In this case you do not use the
only time you should use the
Without browser cookies, the effect of the
You must provide your own authentication mechanism and call
which you use ColdFusion login identification.
Using ColdFusion security tags and functions
ColdFusion provides the following tags and functions for user security:
Tag or function
cflogin
cfloginuser
cflogout
cffunction
IsUserInRole
GetAuthUser
352
Chapter 16: Securing Applications
cfloginuser
Purpose
A container for user authentication and login code. The body of the tag runs only
if there is no logged-in user. When using application-based security, you put
code in the body of the
password against a data source, LDAP directory, or other repository of login
identification. The body of the tag includes a
page that contains a
cfloginuser
identity in ColdFusion.
Identifies (logs in) a user to ColdFusion. Specifies the user's ID, password, and
roles. This tag is typically used inside a
The
tag requires three attributes,
cfloginuser
does not have a body. The
identifiers to which the logged-in user belongs. All spaces in the list are treated
as part of the role names, so you should not follow commas with spaces.
While the user is logged-in to ColdFusion, security functions can access the
user ID and role information.
Logs out the current user. Removes knowledge of the user ID and roles from
the server. If you do not use this tag, the user is automatically logged out as
described in
"Logging users out" on page
The
tag does not take any attributes, and does not have a body.
cflogout
If you include a
attribute, the function executes only when there is a
roles
logged-in user who belongs to one of the specified roles.
Returns True if the current user is a member of the specified role.
Returns the ID of the currently logged-in user.
This tag first checks for a login made with
checks for a web server login (cgi.remote_user.
tag, only the
cflogin
tag outside a
cflogin
tag is limited to a single HTTP request.
cfloginuser
cfloginuser
tag to check the user-provided ID and
cflogin
cfloginuser
tag) to establish the authenticated user's
cflogin
attribute is a comma-delimited list of role
roles
354.
cfloginuser
tag. It is the
cfloginuser
tag.
on each page on
tag (or a ColdFusion
tag.
,
, and
name
password
roles
tag. If none exists, it
, and
Advertisement
Table of Contents
Troubleshooting
