如何仅为会员区域创建登录

Question

我正在为我的项目工作创建电子商务网站。在我从this tutorial创建一个application.cfm页面，使用代码：

<!--- Create the application ---> 
     <cfapplication name="MyApp" 
      clientmanagement="Yes" 
      sessionmanagement="Yes" 
      sessiontimeout="#CreateTimeSpan(0,0,0,10)#" 
      applicationtimeout="#CreateTimeSpan(0,0,0,10)#" /> 

     <!--- Now define that this user is logged out by default ---> 
     <CFPARAM NAME="session.allowin" DEFAULT="false" /> 

     <!--- Now define this user id to zero by default, this will be used later on to access specific information about this user. ---> 
     <CFPARAM NAME="session.user_id" DEFAULT="0" /> 

     <!--- Now if the variable "session.allowin" does not equal true, send user to the login page ---> 
     <!--- the other thing you must check for is if the page calling this application.cfm is the "login.cfm" page and the "Login_process.cfm" page since the Application.cfm is always called, if this is not checked the application will simply Loop over and over. To check that, you do the following call ---> 

     <cfif session.allowin neq "true"> 
      <cfif ListLast(CGI.SCRIPT_NAME, "/") EQ "loginn.cfm"> 
      <cfelseif ListLast(CGI.SCRIPT_NAME, "/") EQ "login_process.cfm"> 
      <cfelse> 
       <!--- this user is not logged in, alert user and redirect to the login.cfm page ---> 
       <script> 
        alert("You must login to access this area!"); 
        self.location="loginn.cfm"; 
       </script> 
      </cfif> 
     </cfif> 

这是Login_process.cfm页：

<!--- Get all records from the database that match this users credentials ---> 
    <cfquery name="qVerify" datasource="cfdb2"> 
     SELECT User_name, User_pass 
     FROM uid_pass 
     WHERE User_name = '#name#' 
    and User_pass='#pass#' 
    </cfquery> 

    <cfif qVerify.RecordCount> 
     <!--- This user has logged in correctly, change the value of the session.allowin value ---> 
      <cfset session.allowin = "True" /> 

     <cfset session.User_name = qVerify.User_name /> 

     <!--- Now welcome user and redirect to "<strong>members_only.cfm</strong>" ---> 
     <script> 
      alert("Welcome user, you have been successfully logged in!"); 
      self.location="index.cfm"; 
     </script> 
    < cfelse> 
     <!--- this user did not log in correctly, alert and redirect to the login page ---> 
     <script> 
      alert("Your credentials could not be verified, please try again!!!"); 
      self.location="Javascript:history.go(-1)"; 
     </script> 
    </cfif> 

我的代码面临的问题是，当我打开它要求我登录的索引页面。没有登录，我无法继续。如果我直接打开registration.cfm页面，则会发生同样的情况。我如何构建代码以便访客可以访问事物，但必须在使用“添加到购物车”选项时登录。

Answer 1

所以，你需要“白名单”，可以不被记录在喜欢的东西访问的任何页面：

<cfif session.allowin neq "true"> 
    <!--- check if this is a page that doesn't require authentication ---> 
    <cfset currentScript = ListLast(CGI.SCRIPT_NAME, "/")> 
    <cfif listFindNoCase("login.cfm,registration.cfm,login_process.cfm", currentScript) eq 0> 
     <!--- redirect to login.cfm page ---> 
     <cflocation addtoken="false" href="login.cfm"> 
    </cfif> 
</cfif> 

我注意到你正在使用Application.cfm，真的是你应该使用的Application.cfc 。然后您可以进入应用程序生命周期。您的安全检查，可以在onRequestStart方法，你可以设置在onSessionStart方法等会议

始终使用cfqueryparam在查询中保护自己免受SQL注入攻击。喜欢的东西：

<cfquery name="qVerify" datasource="cfdb2"> 
    SELECT User_name, User_pass 
    FROM uid_pass 
    WHERE User_name = <cfqueryparam value="#name#" cfsqltype="cf_sql_varchar"> 
     and User_pass = <cfqueryparam value="#pass#" cfsqltype="cf_sql_varchar"> 
</cfquery> 

我也建议您在存储密码读了起来，从你的代码，它看起来像你存储在纯文本数据库的密码 - 这是不好的。你想看看使用单向密码加密。