Login Password Security 1

jasonkeller · Jun 12, 2001

I have created an user administration in coldfusion and access and I was curious to whether there is a way to secure a password so that the password given to the user can only be used by that user from a certain computer. That way that user cannot give it out to another person to view with out permission. Like our competitors.

tlhawkins · Jun 12, 2001

There are some semi-secure methods.

Such as dropping a cookie on the computer when they sign-up that must be present when logging in. Which wont work of cookies are turned off or if the same person tries to log in from there laptop. You can check the IP address of the user (but it will change if they are on a dial-up and disconnect).

I can't think of any other ways right now... Anybody else?

Hope it helps.

GunJack · Jun 12, 2001

The cookie method is probably the best method and what I would use. If you really wanted to ensure it would work without cookies though, you could password protect each session and require the visitor to receive a new password via e-mail for each new session. This is more of a nuisance but will make it harder to share passwords. The original user would have to send the cfid, cftoken, & new password (if they even knew how) to the competitor within the session timeout for them to be able to get in. Just a matter of whether nuisance factor is worth the assurance that it will work without cookies.

GJ

jasonkeller · Jun 13, 2001

How would I go about using the Cookies option?

tlhawkins · Jun 13, 2001

I would set a cookie (with <CFCOOKIE... ) with the value of the ID that corresponds with the UserName and Password.

Then when you verify the UserName and Password Login also check to make sure there is a Cookie with the value of the ID.

You would write your Cookie like this:
<CFCOOKIE name="VerifyLogin" value="#ID#">

When you insert the UserName and Password into the database there are a few ways that you can get the ID. What I usually do when it is login info is check to be sure the UserName and Password are not allready in the database then simply query for them after inserting them.

Then when you verify login add

<CFIF Cookie.VerifyLogin eq #ID#>

If you have trouble with any part of it let us know.

jasonkeller · Jun 20, 2001

I am not sure how to incorperate the verifylogin into what I have. I am new at the coldfusion thing. Anyways Below is my login page. When the user submits is login and password, it then is posted to display.cfm where I have used
<CFINCLUDE TEMPLATE="smileauthenticateusers.cfm">
for security of the display.cfm.

<FORM ACTION="display.cfm" METHOD=POST>

Username:<INPUT TYPE="text" NAME="UserName"
<CFIF #ParameterExists(Cookie.Username)# IS "Yes">VALUE="<CFOUTPUT>#Cookie.Username#</CFOUTPUT>"</CFIF>>

Password:</B><INPUT TYPE="password" NAME="Password"
<CFIF #ParameterExists(Cookie.Password)# IS "Yes" >VALUE="<CFOUTPUT>#Cookie.Password#</CFOUTPUT>"</CFIF>>

<INPUT TYPE="submit" VALUE=" Login Now " > 
<INPUT TYPE="reset" VALUE=" Restart " >

</form>

tlhawkins · Jun 20, 2001

Hi again JasonKeller,

It would probably work something like this:

<CFIF #ParameterExists(Cookie.VerifyLogin)# is "Yes">
<CFQUERY name="GetUser" datasource="#DSN#">
Select *
From EmployeeTable
Where EmployeeID = #Cookie.VerifyLogin#
</CFQUERY>
</CFIF>
<FORM ACTION="display.cfm" METHOD=POST>

Username:<INPUT TYPE="text" NAME="UserName"
<CFIF #ParameterExists(GetUser.Username)# IS "Yes">VALUE="<CFOUTPUT>#GetUser.Username#</CFOUTPUT>"</CFIF>>

Password:</B><INPUT TYPE="password" NAME="Password"
<CFIF #ParameterExists(GetUser.Password)# IS "Yes" >VALUE="<CFOUTPUT>#GetUser.Password#</CFOUTPUT>"</CFIF>>

<INPUT TYPE="submit" VALUE=" Login Now " >
<INPUT TYPE="reset" VALUE=" Restart " >

</form>

Remember the point is to have something in the cookie that they cannot easily tell is there username and password. That is why you drop the ID from the Database instead of the username and password itself. This then, looks for the ID in the Cookie, if it is there then it searches the Database for the Username and Password that go along with it.

In order to get that ID into the cookie you would do something like this: When they first sign-up they fill out a form that they choose a username and a password and fill in whatever other info you need then they submit that. When they submit it you check to be sure that there is not allready that combination of username and password in the Database and if there isn't then you insert it into the Database. Immediately after that Query the Database like this:

<CFQUERY name="getID" datasource="#DSN#">
Select *
From EmployeeTable
Where Username= #Form.Username#
AND Password = #Form.Password#
</CFQUERY>

<CFCOOKIE name="VerifyLogin" value="#GetID.EmployeeID#">

That should do it. If you can't tell where that code goes then post you page for inserting new people into the database and I'll see if I can figure it out.

Hope it helps.

jasonkeller · Jun 20, 2001

So the following information - - - goes on my insert page?

CFQUERY name="getID" datasource="#DSN#">
Select *
From EmployeeTable
Where Username= #Form.Username#
AND Password = #Form.Password#
</CFQUERY>

<CFCOOKIE name="VerifyLogin" value="#GetID.EmployeeID#">

After the Admin enters the info, this is my insert page.
I have tried it (I Think i did it right), but I am getting a duplicate index, or primary key duplicate error. Do I need to set up an new record for a different id indexed with no duplicates?

<CFINSERT Datasource="smile" Tablename="admin" FormFields="name,email,username,password">
<HTML>
<HEAD>
<TITLE>Adding New User . . . Please Wait</TITLE>
<meta http-equiv="refresh" content="1;url=useradmin.cfm">
</HEAD>

<BODY>
<CENTER><FONT COLOR=black FACE="Arial" size=4><b>Adding New User . . . Please Wait</b></FONT></CENTER>

</BODY>
</HTML>

tlhawkins · Jun 20, 2001

I'm not positive but I think you might be doing this in the wrong order.

try it like this. This is your insert page:

Code:

<CFINSERT Datasource=&quot;smile&quot; Tablename=&quot;admin&quot; FormFields=&quot;name,email,username,password&quot;>
<CFQUERY name=&quot;getID&quot; datasource=&quot;#DSN#&quot;>
  Select *
  From admin
  Where username= #Form.Username# 
  AND password = #Form.Password#
</CFQUERY>

<CFCOOKIE name=&quot;VerifyLogin&quot; value=&quot;#GetID.ID#&quot;>

<HTML>
<HEAD>
    <TITLE>Adding New User . . . Please Wait</TITLE>
<meta http-equiv=&quot;refresh&quot; content=&quot;1;url=useradmin.cfm&quot;>
</HEAD>

<BODY>
<CENTER><FONT COLOR=black FACE=&quot;Arial&quot; size=4><b>Adding New User . . . Please Wait</b></FONT></CENTER>

</BODY>
</HTML>

I tried to adjust this for your table names and your field names. I'm not positive what your primary key field is named but whatever it is named make sure that is what you put in the red part.

<CFCOOKIE name="VerifyLogin" value="#GetID.ID#">

Otherwise, if that doesn't help, the error sounds like you are trying to do an insert with a primary key field filled in. if one of these fields "name,email,username,password" is the primary key that wont work. You will need to add another field. Most people call it ID or User_ID or something like that. Make sure it is the primary key and that it is set to AutoNumber. Then when you insert just ignore it. Don't put it in the Formfields part. The database will take care of it.

If it still isn't working E-mail me both pages (or post them if you want) and I'll see what I can do.

jasonkeller · Jun 21, 2001

By #DSN# do you mean my "smile" datasource or is that a reserved tag or something
<CFQUERY name="getID" datasource="#DSN#">

jasonkeller · Jun 21, 2001

I believe I have it setup right. Here is the error I am getting. My primary key is persons_id and it is set up as an auto number.
------------------------------------------------------------
ODBC Error Code = 23000 (Integrity constraint violation)
[Microsoft][ODBC Microsoft Access Driver] The changes you requested to the table were not successful because they would create duplicate values in the index, primary key, or relationship. Change the data in the field or fields that contain duplicate data, remove the index, or redefine the index to permit duplicate entries and try again.

The error occurred while processing an element with a general identifier of (CFINSERT), occupying document position (1:1) to (1:89).
------------------------------------------------------------
User Login form:
----------------
<CFIF #ParameterExists(Cookie.VerifyLogin)# is "Yes">
<CFQUERY name="GetUser" datasource="smile">
Select *
From Admin
Where persons_id = #Cookie.VerifyLogin#
</CFQUERY>
</CFIF>
<HTML>
<HEAD>
<TITLE>MJ Grant Company</TITLE>

</HEAD>
<BODY leftMargin=0 topMargin=0 MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR=#93989B VLINK=BLACK ALINK=BLACK LINK=BLACK>
<TABLE CELLPADDING="0" CELLSPACING="0" BORDER="0" Align=center>
<TR>
<TD ALIGN=CENTER><BR>
<FONT SIZE=2 COLOR=black FACE="Arial"><FONT SIZE=4 COLOR=Black FACE="Arial"><B><IMG SRC="../images/smileheader.jpg" WIDTH=333 HEIGHT=77><BR></B>
<CENTER><FONT SIZE=2 COLOR=white FACE="Arial">For a secure account number,<BR>please contact us at: <BR><B>(480) 736-8646 #205 or <A HREF="mailto:gstousland@mjgrant.com?subject=Requesting Secure Account">email us.</A></B></FONT></FONT></CENTER><br><BR>
<FONT SIZE=2 COLOR=black FACE="Arial">If you already have secure account,<br>Please enter your<B> Username</B> and <B>Password</B>:</FONT><BR><BR></TD>
</TR>
</TABLE>
<TABLE BORDER=0 align=center>
<TR>
<TD ALIGN=CENTER>
<FORM ACTION="display.cfm" METHOD=POST>
<FONT FACE="Arial" SIZE=2 color=black><B>Username:</B></FONT>    <INPUT TYPE="text" NAME="UserName"
<CFIF #ParameterExists(GetUser.UserName)# IS "Yes">VALUE="<CFOUTPUT>#GetUser.UserName#</CFOUTPUT>"</CFIF>> </TD>
</TR>
<TR>
<TD ALIGN=CENTER><FONT FACE="Arial" SIZE=2 color=black><B>Password:</B></FONT>    <INPUT TYPE="password" NAME="Password"
<CFIF #ParameterExists(GetUser.Password)# IS "Yes" >VALUE="<CFOUTPUT>#GetUser.Password#</CFOUTPUT>"</CFIF>>

</TD>
</TR>
</TABLE>
<TABLE BORDER=0 ALIGN=CENTER>
<TR>
<TD ALIGN=CENTER><BR>    <INPUT TYPE="submit" VALUE=" Login Now " style="background-color:#93989B; color:#000000; alpha(opacity=90)"> <INPUT TYPE="reset" VALUE=" Restart " style="background-color:#93989B; color:#000000; alpha(opacity=90)"></TD>
</TR>
</TABLE>
</form>

</BODY>
</HTML>
------------------------------------------------------------
Admin Form to add new user:
---------------------------
<HTML>
<HEAD>
<TITLE>Smile.MJGrant.com Add New User Account</TITLE>

</HEAD>
<BODY leftMargin=0 topMargin=0 MARGINHEIGHT="0" MARGINWIDTH="0" VLINK=Red ALINK=Red LINK=Red><BR>
<CENTER><FONT SIZE=4 FACE="Arial"><B>Smile.MJGrant.com Add New User Account</B><BR></CENTER>
<CENTER><FONT SIZE=3 COLOR=Black FACE="Arial"><A HREF="smile.cfm">Back To Admin Page</A>  
<A HREF="smilelogin.cfm">Logout</A></FONT></CENTER><BR>
<FORM METHOD=POST ACTION="processuser.cfm"><BR>
<TABLE BORDER=0 align=center>
<TR>
<TD><FONT FACE="Arial" COLOR="black" size=2>Users Name:</FONT></TD>
<TD><INPUT TYPE=text NAME="name" SIZE=25 MAXLENGTH=45></TD>
</TR>
<TR>
<TD><FONT FACE="Arial" COLOR=black size=2>Email Address:</FONT></TD>
<TD><INPUT TYPE=text NAME="email" SIZE=45 MAXLENGTH=45></TD>
</TR>
<tr><td><p> </p></td></tr>
<TR>
<TD><FONT FACE="Arial" COLOR="black" size=2>Users Login:</FONT></TD>
<TD><INPUT TYPE=text NAME="username" SIZE=25 MAXLENGTH=25></TD>
</TR>
<TR>
<TD><FONT FACE="Arial" COLOR="black" size=2>Users Password:</FONT></TD>
<TD><INPUT TYPE=text NAME="password" SIZE=25 MAXLENGTH=25></TD>
</TR>
<TR>
<TD></TD>
<TD><INPUT NAME="Submit" type="submit" VALUE="Add New User" ALIGN=top><INPUT NAME="reset" type="reset" value="Reset" ALIGN=absbottom></TD>
</TR>
</TABLE><BR>
<CENTER>

</CENTER>
</FORM>
</BODY>
</HTML>
------------------------------------------------------------
Processing Page/Insert Page:
----------------------------
<CFINSERT Datasource="smile" Tablename="admin" FormFields="name,email,username,password">
<CFQUERY name="getID" datasource="smile">
Select *
From admin
Where UserName= #Form.UserName#
AND Password = #Form.Password#
</CFQUERY>

<CFCOOKIE name="VerifyLogin" value="#GetID.persons_id#">
<HTML>
<HEAD>
<TITLE>Adding New User . . . Please Wait</TITLE>
<meta http-equiv="refresh" content="1;url=useradmin.cfm">
</HEAD>

<BODY>
<CENTER><FONT COLOR=black FACE="Arial" size=4><b>Adding New User . . . Please Wait</b></FONT></CENTER>

</BODY>
</HTML>

I really appreciate this help!

tlhawkins · Jun 25, 2001

Well isn't that just a kick in the pants.
Sorry it took so long to get back, I was out of town.

That Insert code looks OK. I am assuming that the problem you're having is when you try to register a user from the admin page, it calls the Insert page and throws that error. I would check to see if any of your other fields are set to not allow duplicates, or if you have relationships set that aren't working out. More likely you have another field set to not allow duplicates. make sure that the only field that cannot allow duplicates is the primary key.

Starting to sound like a database problem. We'll get it though.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Login Password Security 1

jasonkeller

Programmer

tlhawkins

Programmer

GunJack

ISP

jasonkeller

Programmer

tlhawkins

Programmer

jasonkeller

Programmer

tlhawkins

Programmer

jasonkeller

Programmer

tlhawkins

Programmer

jasonkeller

Programmer

jasonkeller

Programmer

tlhawkins

Programmer

Similar threads

Part and Inventory Search

Sponsor