Finally, in both this example and the one in the following section, adding JavaScript validation to ensure that the user provides a username and password would certainly prove helpful. See the discussions in 20 on how to use CFFORM and CFINPUT to achieve that goal. Using JavaScript to place the cursor focus on the username field as the form loads may also be helpful. (See the article Getting Focus(ed) And a Quick JavaScript Overview, by Charlie Arehart, in the June 2000 issue of the ColdFusion Developer s Journal for more information on that technique. It s available at cfm id=122.)
Caution As you work with forms to perform login processing, be aware whenever you re testing to observe timeout issues that, if you simply refresh a page that s just been logged in to by using a form, the refresh causes the form data to be reposted. Even if the timeout time passed while you looked at the page, the refresh with the reposting presents the form fields necessary to reauthenticate. The code in Application.cfm detects this as a form submission, and you never actually see the form presented. It may lead you to think that no timeout is occurring. This is just a side effect of trying to run simple tests. The problem doesn t occur (nor would it matter if it did) in the real world. A good work-around for this problem in simple testing is to add a hyperlink to your test.cfm page that calls itself. You use that link to test calling the page over and over to see what happens if is a timeout occurs.
Using special form variables: j_username and j_password
You may see examples in the ColdFusion documentation that use a form with the field names j_username and j_password. These are actually special names, and they are tied to the underlying J2EE server heritage in CF MX. If a form with these fields is presented, it causes creation of a special structure called cflogin, with the keys name and password (it is not cflogin.username.). You don t need to use that structure. (You see its value in the section, Using programmatic basic authentication. ) You can just use the form fields as you do in the example in Prompting by using a simple form. But if you want to use the special cflogin structure, you can use the following code in your Application.cfm file. It presumes that the login_form.cfm that you re including is using j_username and j_password as its form fields:
<cflogin> <cfif not isdefined( )> <cfinclude template= login_form.cfm > <cfabort> <cfelse> <!--- would validate username/password here ---> <cfloginuser name= #form.j_username# Password= #form.j_password# roles= > </cfif> </cflogin>
Notice that the difference in the second line of this example (compared to that in Prompting by using a simple form ) is that you re not referring to the form fields form.j_username (or even form.login) to test for the form submission, although you could. Instead, you re referring to This (and cflogin.password) is a special variable that is created only by this type of username/password prompting (as well as in the next two types that we discuss).
40 Integrating Security
The variable is accessible only within the processing of CFLOGIN tags. If you attempt to refer to the structure outside the tags (or by using the earlier simple form example), the cflogin structure seems not to exist. We ve noticed a quirk in using this j_username approach, however. This cflogin structure is not removed after the login process times out. If you use code such as that of the preceding example, the user never seems to be logged out after a timeout. That is, you never see a request to log in again. This has been identified as a bug. A work-around is available for the following test: <cfif not isdefined( )> You must replace that line with the following: <cfif GetAuthUser() is and not isdefined( form.login )> This code indeed causes the login page to appear after a timeout (as well as after a CFLOGOUT or on the first visit in a new browser session). Another challenge that flows from this unexpected behavior is that, because the cflogin structure doesn t get erased on a timeout, it also continues to hold the previous login values even after a new login takes place, at least until the CFLOGINUSER takes place. This is important to note when you perform testing of the input values against a database or such. You should use form.j_username and form.j_password, just as the code in the previous listing does for the CFLOGINUSER tag to get around this problem. We can only hope for now that these bugs get addressed in future updates.
