ColdFusion

login password problems

Please support our ColdFusion advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

•

Join Date: Jul 2009

Posts: 8

Reputation: aycmike is an unknown quantity at this point

Solved Threads: 0

aycmike

Offline

Newbie Poster

login password problems

Jul 6th, 2009

When a user logs in that has the same password as another user the latest person to register with that passwords details are revealed, im struggling to make it check that the username and password are connected and only if the username and password match should that users details be accessibale. The codes here (although i may not have explained my problem too well)

 Help with Code Tags 
 coldfusion Syntax (Toggle Plain Text) 
			  <!-- If statement to show login form if not logged in -->
			  <cfif Session.Logged EQ "false">
 
                    <cfform action="your.cfm" method="post" name="user_loginform">            
                    <b>Username </b><br />
					<cfinput name="username" type="text" class="normal" required="yes" message="Username Required" /><br /><br />
					<b>Password</b><br />
                    <cfinput name="password" type="password" class="normal" required="yes" message="Password Required" /><br />
                    <input name="Submit" type="submit" value="Login" class="button_blue" />
                    </cfform>            
 
                	<p class="link">Click to register:<a href="register.cfm">Register</a></p>    		
 
				<!-- Compares details to database and lets user log in if match found -->
					<cfif isdefined("form.Password")>
                    <cflock timeout="5">
 
						<cfset Encrypted = encrypt(Form.Password, Request.PasswordKey)>
                        <cfquery name="user_login" datasource="#Request.DSN#">
                        select  email, username, password, name from users 
                        where password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Encrypted#">
                        </cfquery>
 
 
					  <cfif user_login.recordcount>
                 <!-- If username and password match, user is logged and session is set to logged -->
                                    <cfset Session.Logged = "true">
                                    <cfset Session.emailname = "#user_login.email#">
                                    <cfset Session.userName = "#user_login.username#">
                                    <cfset Session.password = "#user_login.password#">
                                    <cfset Session.name = "#user_login.name#">
                        <cflocation url="your.cfm">
                        <cfelse>
			  <!-- If statement to show login form if not logged in -->
			  <cfif Session.Logged EQ "false">

                    <cfform action="your.cfm" method="post" name="user_loginform">            
                    <b>Username </b><br />
					<cfinput name="username" type="text" class="normal" required="yes" message="Username Required" /><br /><br />
					<b>Password</b><br />
                    <cfinput name="password" type="password" class="normal" required="yes" message="Password Required" /><br />
                    <input name="Submit" type="submit" value="Login" class="button_blue" />
                    </cfform>            
                                 
                	<p class="link">Click to register:<a href="register.cfm">Register</a></p>    		
                    
				<!-- Compares details to database and lets user log in if match found -->
					<cfif isdefined("form.Password")>
                    <cflock timeout="5">
        
						<cfset Encrypted = encrypt(Form.Password, Request.PasswordKey)>
                        <cfquery name="user_login" datasource="#Request.DSN#">
                        select  email, username, password, name from users 
                        where password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Encrypted#">
                        </cfquery>


					  <cfif user_login.recordcount>
                 <!-- If username and password match, user is logged and session is set to logged -->
                                    <cfset Session.Logged = "true">
                                    <cfset Session.emailname = "#user_login.email#">
                                    <cfset Session.userName = "#user_login.username#">
                                    <cfset Session.password = "#user_login.password#">
                                    <cfset Session.name = "#user_login.name#">
                        <cflocation url="your.cfm">
                        <cfelse>

Last edited by peter_budo; Jul 8th, 2009 at 7:32 am. Reason: Keep It Organized - For easy readability, always wrap programming code within posts in [code] (code blocks) and [icode] (inline code) tags.

•

Join Date: Jul 2009

Posts: 8

Reputation: aycmike is an unknown quantity at this point

Solved Threads: 0

aycmike

Offline

Newbie Poster

Re: login password problems

Jul 6th, 2009

I think the problem occurs when select statement takes place, i need to make sure that the username matches the username entered in the login form and the password stored in the database.

Any help would be much appreciated !

•

Join Date: Jan 2009

Posts: 4

Reputation: thesaintbug is an unknown quantity at this point

Solved Threads: 0

thesaintbug thesaintbug is offline

Offline

Newbie Poster

Re: login password problems

Jul 17th, 2009

I think you should also include the "username" in where clause in the query. So that both username and password get matched in database. Therefore not any other user with same password would be able to get logged in with some other user name.

Hope this is what you are looking for.

•

Join Date: Jun 2008

Posts: 28

Reputation: cheapterp is an unknown quantity at this point

Solved Threads: 2

cheapterp

Offline

Light Poster

Re: login password problems

Aug 21st, 2009

In addition to what thesaintbug said, there is another thing you might need to change. Rather than 'Encrypting' passwords, the better option would be to Hash them. Hashing is a one-way process - which means no one will be able to guess what a user's password is even if they got their hands on the HASHed password. Encryption on the other hand has the risk of your user info being compromised if someone got to know what the PasswordKey is.

Just something for you to think about!