When a user logs in that has the same password as another user the latest person to register with that passwords details are revealed, im struggling to make it check that the username and password are connected and only if the username and password match should that users details be accessibale. The codes here (although i may not have explained my problem too well)

<!-- If statement to show login form if not logged in -->
			  <cfif Session.Logged EQ "false">

                    <cfform action="your.cfm" method="post" name="user_loginform">            
                    <b>Username </b><br />
					<cfinput name="username" type="text" class="normal" required="yes" message="Username Required" /><br /><br />
					<b>Password</b><br />
                    <cfinput name="password" type="password" class="normal" required="yes" message="Password Required" /><br />
                    <input name="Submit" type="submit" value="Login" class="button_blue" />
                    </cfform>            
                                 
                	<p class="link">Click to register:<a href="register.cfm">Register</a></p>    		
                    
				<!-- Compares details to database and lets user log in if match found -->
					<cfif isdefined("form.Password")>
                    <cflock timeout="5">
        
						<cfset Encrypted = encrypt(Form.Password, Request.PasswordKey)>
                        <cfquery name="user_login" datasource="#Request.DSN#">
                        select  email, username, password, name from users 
                        where password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Encrypted#">
                        </cfquery>


					  <cfif user_login.recordcount>
                 <!-- If username and password match, user is logged and session is set to logged -->
                                    <cfset Session.Logged = "true">
                                    <cfset Session.emailname = "#user_login.email#">
                                    <cfset Session.userName = "#user_login.username#">
                                    <cfset Session.password = "#user_login.password#">
                                    <cfset Session.name = "#user_login.name#">
                        <cflocation url="your.cfm">
                        <cfelse>

I think the problem occurs when select statement takes place, i need to make sure that the username matches the username entered in the login form and the password stored in the database.

Any help would be much appreciated !

I think you should also include the "username" in where clause in the query. So that both username and password get matched in database. Therefore not any other user with same password would be able to get logged in with some other user name.

Hope this is what you are looking for.

In addition to what thesaintbug said, there is another thing you might need to change. Rather than 'Encrypting' passwords, the better option would be to Hash them. Hashing is a one-way process - which means no one will be able to guess what a user's password is even if they got their hands on the HASHed password. Encryption on the other hand has the risk of your user info being compromised if someone got to know what the PasswordKey is.

Just something for you to think about!

This article has been dead for over six months. Start a new discussion instead.