I am using the following code to allow users to login to a site. Some users have been getting bumped. Is there a problem with the way I set up my session variables? Do I need to make the variables more specific to a client? If so how?
Code:
<!--- Get user's details from the database --->
<cfquery name="GetUser" ... >
SELECT *
FROM stuser
WHERE email = <cfqueryparam value="#form.email#" cfsqltype="cf_sql_varchar">
AND pwd = <cfqueryparam value="#form.password#" cfsqltype="cf_sql_varchar">
</cfquery>
<!--- Check if we have a winner! --->
<cfif GetUser.RecordCount eq 0>
<!--- User does not exist --->
<!--- Pass the variables back in the URL - message and UserName --->
<cfset loginpage = "index.cfm?nm=1<cfif form.fl gt 0>&fl=1</cfif>" >
<cfset loginpage = loginpage & "&Name=" & URLEncodedFormat(#Form.email#)>
<cflocation url="#loginpage#">
<cfelseif GetUser.RecordCount gt 0 and GetUser.active eq 0>
<cfset loginpage = "index.cfm?nm=2<cfif form.fl gt 0>&fl=1</cfif>" >
<cfset loginpage = loginpage & "&Name=" & URLEncodedFormat(#Form.email#)>
<cflocation url="#loginpage#">
<cfelse>
<!--- Store the user id in session variables and cookies. --->
<cflock scope="Session" timeout="20" type="exclusive">
<cfif isdefined ('form.fl')><cfset Session.fl = form.fl></cfif>
<cfset Session.districtid = GetUser.districtid>
<cfset Session.parentid = GetUser.parentid>
<cfset Session.email = GetUser.email>
<cfset Session.sfirst = GetUser.sfirst>
<cfset Session.slast = GetUser.slast>
<cfset Session.password = GetUser.pwd>
</cflock>
<META HTTP-EQUIV=REFRESH CONTENT="0; URL=main.cfm?pgid=1">
</cfif>