cflogin

A container for user login and authentication code. ColdFusion runs the code in this tag if a user is not already logged in. You put code in the tag that authenticates the user and identifies the user with a set of roles. Used with cfloginuser tag.

ColdFusion MX 6.1: Changed behavior: the cflogin variable exists when ColdFusion receives a request with NTLM or Digest (CFHTTP Negotiated header) authentication information.

Attribute	Req/Opt	Default	Description
idletimout	Optional	1800	Time interval with no keyboard activity after which ColdFusion logs the user off. Seconds.
applicationtoken	Optional	The current application name	Unique application identifier. Limits the login validity to one application, as specified by the `cfapplication` tag.
cookiedomain	Optional		Domain of the cookie that is used to mark a user as logged in. Use this attribute to enable a user login cookie to work with multiple clustered servers in the same domain.

The body of this tag executes only if there is no logged-in user. When using application-based security, you put code in the body of the cflogin tag to check the user-provided ID and password against a data source, LDAP directory, or other repository of login identification. The body must include a cfloginuser tag to establish the authenticated user's identity in ColdFusion.

The cflogin tag has a built-in cflogin structure that contains two variables, cflogin.name and cflogin.password, if the page is executing in response to any of the following:

You can use these values in the cflogin tag body to authenticate the user, and, in the cfloginuser tag, to log the user in. The structure is only available in the cflogin tag body.

The following example shows a simple authentication. This code is typically in the application.cfm page.

Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.

Comments

areeves said on Mar 3, 2004 at 8:01 AM :

How does it use a data source? I don't see any documentation on how to use cfloinuser to a data souce?

No screen name said on Mar 4, 2004 at 7:19 PM :

Yea, I have been looking all around for how the data source is accessed and cannot find it. Hopefully the roles will be located in the same datasource, and the logged in user's role can be accessed anywhere in the session.. Can someone tell us how to use the data source??

jrunrandy said on Mar 5, 2004 at 5:43 AM :

You are responsible for coding the SQL within the CFLOGIN. So the data source is something you control,
and you need to make sure that the associated database has user, password, and role information.

Something like:

<CFQUERY NAME="qSecurity"
DATASOURCE="UserRolesDb">
SELECT Roles FROM SecurityRoles
WHERE username='#cflogin.name#'
and password='#cflogin.password#'
</CFQUERY>

<CFIF qSecurity.recordcount gt 0>
<CFLOGINUSER NAME = "#cflogin.name#"
PASSWORD = "#cflogin.password#"
ROLES = "#trim(qSecurity.Roles)#" >
</CFIF>

fribble said on May 17, 2004 at 6:33 AM :

Have there been compatability issues with Mac Netscape? My implementation works on Mac IE, PC IE, PC Netscape but wont allow login on Mac Netscpe.

cfoli said on Jul 26, 2004 at 2:13 AM :

What is exactly cflogin in >> IsDefined("cflogin") << ?
Is CFLOGINUSER supposed to create some kind of struct ?

I have implemented a quick application using CFLOGIN & CFLOGINUSER , and tested that it is working fine with GetAuthUser() and IsUserInRole(), and it works fine.

However, when I try to CDFUMP #cflogin#, the variable doesn't exist... Also when trying to IsDefined("cflogin") after successfully authenticating, the IsDefined is FALSE...

So back to the very first line of this message... What is exactly cflogin in >> IsDefined("cflogin") << ?

Thanks!! :)

jrunrandy said on Jul 27, 2004 at 5:34 AM :

I believe that the page explains that the cflogin tag has a built-in cflogin structure.

If your application continues to have problems, I suggest posting your code to the online forums: http://webforums.macromedia.com/coldfusion/

snow811 said on Aug 16, 2004 at 11:24 AM :

after one uses cfloginuser, and then logsout using cflogout, when click the back button and refreshing the page, the user is still logged in. Then the user may navigate to pages within the application.

Mike Rolfes said on Oct 16, 2004 at 4:33 PM :

I seem to have found a quirk with the CFLOGOUT tag and the GetAuthUser function. When I used it from a customized CFC, the logout deleted the session.cfauthorization variable which seems to be the variable responsible for keeping track of logins, but the GetAuthUser function after logging out returns my Windows OS login ID instead of a blank string. Am I reading missing something?

No screen name said on Oct 29, 2004 at 9:47 AM :

It is worth noting here that if you <cflocation> out of the <cflogin> block, even after the <cfloginuser> call, the user will not be logged in.

CFspider said on Nov 17, 2004 at 3:31 PM :

getAuthUser needs CFLOGIN

The getAuthUser and isUserInRole functions will only work if the CFLOGIN tag was encountered previously within the scope of the same request. In other words, if your CFLOGIN tag is not in your Application.cfm file, and you try to call getAuthUser or isUserInRole during the scope of a request where no CFLOGIN tag was encountered, you get an empty string and false respectively. This is not usually noticed because the CFLOGIN tag is in my Application.cfm file where it was clearly intended to go. Fortunately, a quick <cflogin/> tag before you call getAuthUser or isUserInRole fixes the issue by making the necessary variable scope available.

Is there anyway you see this workaround causing a problem?

Thanks

GreyLurk said on Nov 25, 2004 at 1:06 AM :

How does the information from HTTP basic and/or digest come in? Is cflogin always defined if the web server requires HTTP basic and/or digest?

-r- said on Dec 10, 2004 at 6:52 PM :

IdleTimeout description: "Time interval with no keyboard activity after which ColdFusion logs the user off."

How can this be? You can have TONs of keyboard activity without causing a round trip to the server. How does the ColdFusion server know I am typing, say, an email message to someone? Is there a Psychic ColdFusion server out there somewhere? <kidding!!!>

MikerRoo said on Dec 19, 2004 at 12:18 AM :

idletimeout is misspelled in the legend.

mikesnp said on May 2, 2005 at 1:57 PM :

I encountering a problem with <cflogin> authentication in some cases. After login when the users accesses any page the following error occurs:

Can not decode string "ODA2Oic MEI1QllXLVYgICAKOkdFU0FVQ1RJT05T". The input string is not base64-encoded.

The string is variable.

I found the solution is to specify a "loginStorage" attribute in the CFAPPLICATION tag. In our case I set this to loginStorage="session".

Without the attribute, cfauthorization="ODA2Oic MEI1QllXLVYgICAKOkdFU0FVQ1RJT05T"
NOTICE THE WHITESPACE.

With the attribute, cfauthorization="ODA2Oic+MEI1QllXLVYgICAKOkdFU0FVQ1RJT05T" . Notice the + sign where the whitespace had been.

No screen name said on Sep 22, 2005 at 3:29 AM :

thanks

Rob 98765 said on Nov 13, 2005 at 12:13 PM :

Regarding what CFspider said on Nov 17, 2004 at 3:31 PM: Thanks for your insight and solution. This only seems to happen when you use session variables for the login, my application worked fine until I added loginstorage="session" at which point only your <cflogin/> trick got it working again.