0

I have login in my new application that checks on each request if user is logged in. If user is not logged in automatically will be redirected to the login page. I have situation where user clicks on Forgot Password. In that case I generated temporary link that will direct user to reset.cfm page. However problem is that user is not logged in and if I try to click on the link that should direct me to reset.cfm my code will direct me instead to login.cfm. Here is logic that I use in Application.cfc:

public boolean function onRequestStart(required string thePage) output="false" {
    local.page = listLast(arguments.thePage,"/");
    //onApplicationStart();

    if(!listFindNoCase("Login.cfm,Authentication.cfc",page)){
        if(structKeyExists(SESSION, "loggedin") AND SESSION.loggedin EQ false){
           location(url="https://example.com", addToken="false");
        }
    }

    return true;
}

As you can see in the example above, on each request I check the flag loggedin. I'm wondering how I can let the user access Reset.cfm?token=94129873129 link to the page? I would like to keep my logic to work the same for the users that are not logged in. At the same time I need to give them an access to Reset.cfm. If anyone have suggestions how this can be achieved or better way to handle this please let me know. One solution that I was thinking about was this solution, in Main.cfm:

<cfif structKeyExists(url,"token")>
    <cfinclude template="Reset.cfm">
<cfelse>
    <cfinclude template="Login.cfm">
</cfif>

If url parameter token exists then direct user to Reset.cfm if not to Login.cfm.

espresso_coffee
  • 5,980
  • 11
  • 83
  • 193
  • 3
    Can you just add "Reset.cfm" to your list of pages? `if(!listFindNoCase("Login.cfm,Authentication.cfc, Reset.cfm",page)){...` – Shawn Sep 18 '18 at 18:30
  • @Shawn Next statement inside of that `if` will redirect to the main page if user is not logged in. – espresso_coffee Sep 18 '18 at 18:32
  • 1
    @espresso_coffee reread your ifs statements. In your question if the first statement is true, the second isn't evaluated, and the user cannot be redirected. Unless the logic in your question doesn't match your application, Shawns comment should work. – Twillen Sep 18 '18 at 19:35

1 Answers1

0

Hello you can write a conditions like below, Please add whiteList concept. In that while list you can added the file list ( What are file you can access without login. Here I gave example reset.cfm and register.cfm the both file we can access without login. ) Then put condition on these like below. 

public any function onRequestStart(required string thePage) output="false" {
        local.page = listLast(CGI.SCRIPT_NAME,"/");
        local.whiteList = ['reset.cfm','register.cfm']; // Here you can add what are pages you want to access without login.

        if( local.page NEQ 'login.cfm' AND !StructKeyExists( session, "loggedin" ) && !arrayFindNoCase(local.whiteList,local.page ) ) {
            location( url="login.cfm", addtoken='false' );
        }

    }

I hope it will helpful to you. Please let me know your thoughts on these.

Kannan.P
  • 1,263
  • 7
  • 14
  • 1
    Hello, I just tried adding `Reset.cfm` like @Shawn suggested in the comments and that worked just fine. I still haven't tested your solution. Not sure if that would be necessary since adding the page in the list seems enough. – espresso_coffee Sep 19 '18 at 11:07
  • 1
    Hopefully you have to add number of file in a future if your application is big and famous one. That time you need to move this kind of solution is good one. Like add while list and block list. Thanks. – Kannan.P Sep 19 '18 at 11:18
  • One more thing that I want to check is what is the purpose of `thePage` argument? I do not see that argument used anywhere in the function. My guess is that you instead use `CGI.SCRIPT_NAME` to pull all the pages from the directory, correct? – espresso_coffee Sep 19 '18 at 12:09
  • You don't need CGI.SCRIPT_NAME. That is the purpose of `thePage` variable. https://helpx.adobe.com/coldfusion/cfml-reference/application-cfc-reference/onrequeststart.html. – SOS Sep 19 '18 at 13:06