A container for user login and authentication code. ColdFusion runs the code in this tag if a user is not already logged in. You put code in the tag that authenticates the user and identifies the user with a set of roles. Used with cfloginuser tag.
<cflogin applicationToken = "token" cookieDomain = "domain" idletimeout = "value" allowconcurrent = "true|false" usebasicauth = "true|false"> ... <cfloginuser name = "name" password = "password" roles = "roles"> </cflogin>
cfloginuser, cflogout, GetAuthUser, GetUserRoles, IsUserInAnyRole, IsUserInRole, IsUserLoggedIn, Securing Applications in the Developing ColdFusion Applications
ColdFusion 11: Added 2 new attributes allowconcurrent and usebasicauth.
ColdFusion 8: The applicationtoken attribute lets you specify a unique application identifier for each application, or the same value for multiple applications.ColdFusion MX 6.1: Changed behavior: the cflogin variable exists when ColdFusion receives a request with NTLM or Digest (HTTP Negotiated header) authentication information.ColdFusion MX: Added this tag.
Attribute |
Req/Opt |
Default |
Description |
---|---|---|---|
applicationtoken |
Optional |
The current application name |
The login that applies to the application. To let users log in to only one application, specify a unique value for that application. To let users log in to multiple applications, specify the same value for those applications. If you do not set a value for the applicationtoken attribute, the default value is CFAUTHORIZATION_applicationname. |
cookiedomain |
Optional |
|
Domain of the cookie that is used to mark a user as logged in. Use this attribute to enable a user login cookie to work with multiple clustered servers in the same domain. |
idletimeout |
Optional |
1800 |
Time interval, in seconds, after which ColdFusion logs off the user. |
allowconcurrent | Optional | true | If concurrent login sessions should be allowed. |
usebasicauth | Optional | true | If basic authentication should be used to validate the login. |
The body of this tag executes only if there is no logged-in user. When using application-based security, you put code in the body of the cflogin tag to check the user-provided ID and password against a data source, LDAP directory, or other repository of login identification. The body must include a cfloginuser tag to establish the authenticated user's identity in ColdFusion.
You control the data source and are responsible for coding the SQL within the cflogin tag; make sure that the associated database has user, password, and role information.
The cflogin tag has a built-in cflogin structure that contains two variables, cflogin.name and cflogin.password, if the page is executing in response to any of the following:
The following example shows a simple authentication. This code is typically in the Application.cfc onRequestStart method or in the application.cfm page.
<cflogin> <cfif NOT IsDefined("cflogin")> <cfinclude template="loginform.cfm"> <cfabort> <cfelse> <cfif cflogin.name eq "admin"> <cfset roles = "user,admin"> <cfelse> <cfset roles = "user"> </cfif> <cfloginuser name = "#cflogin.name#" password = "#cflogin.password#" roles = "#roles#"/> </cfif> </cflogin>
The following view-only example checks the user ID and password against a data source:
<cfquery name="qSecurity" datasource="UserRolesDb"> SELECT Roles FROM SecurityRoles WHERE username=<cfqueryparam value='#cflogin.name#' CFSQLTYPE="CF_SQL_VARCHAR" AND password=<cfqueryparam value='#cflogin.password#' CFSQLTYPE='CF_SQL_VARCHAR' </cfquery> <cfif qSecurity.recordcount gt 0> <cfloginuser name = "#cflogin.name#" password = "#cflogin.password#" roles = "#trim(qSecurity.Roles)#" > </cfif>
Sign in to your account