我正在为我的项目工作创建一个电子商务网站。我使用this tutorial中的代码创建了一个application.cfm页面:
<!--- Create the application --->
<cfapplication name="MyApp"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#CreateTimeSpan(0,0,0,10)#"
applicationtimeout="#CreateTimeSpan(0,0,0,10)#" />
<!--- Now define that this user is logged out by default --->
<CFPARAM NAME="session.allowin" DEFAULT="false" />
<!--- Now define this user id to zero by default, this will be used later on to access specific information about this user. --->
<CFPARAM NAME="session.user_id" DEFAULT="0" />
<!--- Now if the variable "session.allowin" does not equal true, send user to the login page --->
<!--- the other thing you must check for is if the page calling this application.cfm is the "login.cfm" page and the "Login_process.cfm" page since the Application.cfm is always called, if this is not checked the application will simply Loop over and over. To check that, you do the following call --->
<cfif session.allowin neq "true">
<cfif ListLast(CGI.SCRIPT_NAME, "/") EQ "loginn.cfm">
<cfelseif ListLast(CGI.SCRIPT_NAME, "/") EQ "login_process.cfm">
<cfelse>
<!--- this user is not logged in, alert user and redirect to the login.cfm page --->
<script>
alert("You must login to access this area!");
self.location="loginn.cfm";
</script>
</cfif>
</cfif>
这是Login_process.cfm页面:
<!--- Get all records from the database that match this users credentials --->
<cfquery name="qVerify" datasource="cfdb2">
SELECT User_name, User_pass
FROM uid_pass
WHERE User_name = '#name#'
and User_pass='#pass#'
</cfquery>
<cfif qVerify.RecordCount>
<!--- This user has logged in correctly, change the value of the session.allowin value --->
<cfset session.allowin = "True" />
<cfset session.User_name = qVerify.User_name />
<!--- Now welcome user and redirect to "<strong>members_only.cfm</strong>" --->
<script>
alert("Welcome user, you have been successfully logged in!");
self.location="index.cfm";
</script>
< cfelse>
<!--- this user did not log in correctly, alert and redirect to the login page --->
<script>
alert("Your credentials could not be verified, please try again!!!");
self.location="Javascript:history.go(-1)";
</script>
</cfif>
我面对代码的问题是当我打开索引页面时它要求我登录。没有登录,我无法继续。如果我直接打开registration.cfm页面,就会发生同样的事情。如何构建代码以便访客可以访问内容,但必须在使用&#34;添加到购物车&#34;选项。
答案 0 :(得分:1)
所以你需要白名单&#39;任何无需登录即可访问的页面。例如:
<cfif session.allowin neq "true">
<!--- check if this is a page that doesn't require authentication --->
<cfset currentScript = ListLast(CGI.SCRIPT_NAME, "/")>
<cfif listFindNoCase("login.cfm,registration.cfm,login_process.cfm", currentScript) eq 0>
<!--- redirect to login.cfm page --->
<cflocation addtoken="false" href="login.cfm">
</cfif>
</cfif>
我注意到您正在使用Application.cfm,实际上您应该使用Application.cfc。然后,您可以进入应用程序生命周期。您的安全检查可以采用onRequestStart方法,您可以使用onSessionStart方法等设置会话。
始终在查询中使用cfqueryparam来保护自己免受SQL注入攻击。类似的东西:
<cfquery name="qVerify" datasource="cfdb2">
SELECT User_name, User_pass
FROM uid_pass
WHERE User_name = <cfqueryparam value="#name#" cfsqltype="cf_sql_varchar">
and User_pass = <cfqueryparam value="#pass#" cfsqltype="cf_sql_varchar">
</cfquery>
我还建议您阅读存储密码,因为您的代码看起来像是以纯文本格式将数据存储在数据库中 - 这很糟糕。您想看一下使用单向密码加密。