3

I am very new to ColdFusion (started yesterday). I am trying to create a session variable in checklogin.cfm, which equals the username input from form. So I can display the username on result page. Is it possible to do so? Or is there any better way to do this?

application.cfm

<cfset this.name = "Name of your application">
<cfset this.sessionManagement = true>

check_login.cfm

<!--- If username equals user1 and password equals password1, take user to home page. ---> 
<cfif form.userName eq "user1" AND form.password eq "password1">
  <cfset session.userName = form.userName/>
  <cflocation url="home.cfm" ADDTOKEN="Yes">
  <!--- If username doesn't equal user1 and/or password doesn't 
    equal password1, take user back to login page. ---> 
<cfelse>
  <cflocation url="login.cfm" ADDTOKEN="Yes">  
</cfif>

home.cfm

<cfoutput>
    <br>
     <b><font size="6">Enter the numbers you want to add:</font></b>
</cfoutput>

<!--- Add numbers form ---> 

<cfform action="result.cfm" method="post"> 
    <!--- Get numbers from user ---> 
    <p> 
        Enter first number: 
        <cfinput type="Text" name="number1" required="Yes" size="20"
          maxlength="100" message="You must enter a number.">
        <br> 

        Enter second number: 
        <cfinput type="Text" name="number2" required="Yes" size="20"
          maxlength="100" message="You must enter a second number.">
        <br>
    </p> 

    <!--- submit button ---> 
    <cfinput type="Submit" name="submitForm" value="Submit"> 
</cfform>

login.cfm

<cfform action="check_login.cfm" method="post"> 
    <!--- Get login info from user ---> 
    <p> 
        UserName: 
        <cfinput type="Text" name="userName" required="Yes" size="20" maxlength="25" 
          message="Username is required and must be less than 25 characters.">
        <br> 

        Password: 
        <cfinput type="password" name="password" required="Yes" size="20" maxlength="20" 
          message="Password is required and must be less than 20 characters.">
        <br>
    </p> 

    <!--- submit button ---> 
    <cfinput type="Submit" name="submitForm" value="Submit"> 
   </cfform>

result.cfm

<cfset result = form.number1 + form.number2 >
<cfoutput>
     <b><font size="6">Hi #session.userName#! </font></b><br> 
     <br>
    <!-- Display result to user. -->
    <font size="5">Your result is: #result#</font>
</cfoutput>

The problem is with the result page, where it says Element USERNAME is undefined in SESSION pointing to line <b><font size="6">Hi #session.userName#! </font></b>

Shawn
  • 4,758
  • 1
  • 20
  • 29
user8968494
  • 35
  • 8
  • What exactly isn't working? If you enter the correct username and password does it redirect you to home.cfm? If it does, what happens when you use `cfdump` to view the value of `session.userName`? – Seanvm Dec 03 '18 at 06:29
  • @Seanvm It does redirect to home page. The problem is with the result page, where it says 'Element USERNAME is undefined in SESSION' pointing to line ' Hi #session.userName#!
    '     – user8968494 Dec 03 '18 at 16:34
  • Using cfdump gives the same error, pointing to cfdump line. – user8968494 Dec 03 '18 at 16:35
  • 4
    @user8968494 since you're new to CF, I feel a need to advise you to avoid using CF elements, like cfform and cfinput, otherwise your code will be forever dependent on these elements working correctly, and you have limited ability to customize them. Better to use straight html and then code up your own functionality as needed. – Redtopia Dec 03 '18 at 19:26
  • 1
    I would echo Redtopia, and I would also add that any time you pass user variables around, you should do some good validation on them. https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet – Shawn Dec 03 '18 at 21:08
  • 1
    And I would also suggest that you look at cfscript syntax instead of tag syntax. Especially if you are familiar with Javascript. – Shawn Dec 03 '18 at 21:09
  • What version of ColdFusion are you using? – Shawn Dec 03 '18 at 21:14
  • Can you check whether you have session management turn on in your Application.cfc? – Keshav jha Dec 04 '18 at 00:39
  • 2
    Why did you remove the details from your question? Those are needed for us to help you. If you have changed your code from the initial post, that's okay, but you should add those new details to your original question so the context of these comments and answers remains. – Miguel-F Dec 04 '18 at 12:52
  • 1
    @Miguel-F I added those contents back. The question kinda needs those details. – Shawn Dec 04 '18 at 19:10
  • Thanks @Shawn, I agree – Miguel-F Dec 04 '18 at 19:41
  • Nothing to do with the question, but passwords should be hashed, not stored in plain text. That is a totally separate topic, but do a search and you'll find plenty of threads. – SOS Dec 04 '18 at 22:10

1 Answers1

5

To fix the error mentioned you need to move the setting of the session variable above the <cflocation> tag in your check_login.cfm file.

From this:

<!--- If username equals user1 and password equals password1, take user to home page. ---> 
<cfif form.userName eq "user1" AND form.password eq "password1">
    <cflocation url="home.cfm">
<!--- If username doesn't equal user1 and/or password doesn't equal password1, take user back to login page. ---> 
<cfelse>
    <cflocation url="login.cfm">  
</cfif>
<cfset session.userName = form.userName/>

To something like this:

<!--- If username equals user1 and password equals password1, take user to home page. ---> 
<cfif form.userName eq "user1" AND form.password eq "password1">
    <cfset session.userName = form.userName/>
    <cflocation url="home.cfm">
<!--- If username doesn't equal user1 and/or password doesn't equal password1, take user back to login page. ---> 
<cfelse>
    <cflocation url="login.cfm">  
</cfif>

The reason for this is because ColdFusion will stop processing the rest of your file when it encounters the <cflocation> tag. When it processes that tag it will immediately send a redirect back to the user. So your code to set the session variable was never running.

Updated example with using CFLOCK around the setting of the session variable

<!--- If username equals user1 and password equals password1, take user to home page. ---> 
<cfif form.userName eq "user1" AND form.password eq "password1">
    <cflock scope="session" type="exclusive" timeout="10">
        <cfset session.userName = form.userName/>
    </cflock>
    <cflocation url="home.cfm">
<!--- If username doesn't equal user1 and/or password doesn't equal password1, take user back to login page. ---> 
<cfelse>
    <cflocation url="login.cfm">  
</cfif>
Miguel-F
  • 13,450
  • 6
  • 38
  • 63
  • I moved it like you said, but it's still giving the same error on result page. – user8968494 Dec 03 '18 at 19:49
  • Then something else is wrong. Based on what you have provided so far that should fix the issue. Update your question with the latest code and error message. – Miguel-F Dec 03 '18 at 20:50
  • @user8968494 Your cookies may not be getting set to pass the session through. https://helpx.adobe.com/coldfusion/kb/missing-session-variables-using-cflocation.html – Shawn Dec 03 '18 at 21:14
  • @Shawn I added ADDTOKEN="Yes" in cflocation after going through that article. No change in error tho. It says not to set session variable in same template as cflocation. Where should i set it then? – user8968494 Dec 03 '18 at 22:18
  • 2
    You do not need (and should not use) the `addtoken="yes"` attribute. That will expose your cookies in the URL. That is bad. Try adding a `cflock` around the setting of your session variables. I have updated my answer with an example of what I mean. I use this with `cflocation` on the same page and it works for me. – Miguel-F Dec 04 '18 at 12:56