我正在尝试使用 Coldfusion 创建一个安全登录区域,其中用户名、密码和 user_id(可能使用 CFParam URL.user_id)定义了登录后显示的信息 - 有点像在线帐户。因此,使用他们自己的登录凭据,用户将仅登录并访问他们的信息,而页面默认为数据库中的第一个用户,或者通过简单地更改浏览器栏中的 user_id 来访问另一个用户的信息(也许通过加密 URL变量)。这是我过去一直用于安全登录的内容(有效),它还有 3 次失败的登录尝试和一个超时会话:
<cfquery name="rs_user" datasource="source">
SELECT user_id
FROM table
WHERE user_id = <cfqueryparam value="#URL.user_id#" cfsqltype="cf_sql_integer">
</cfquery>
<cfif IsDefined("URL.MM_logout") AND URL.MM_logout EQ "1">
<cflock scope="Session" type="Exclusive" timeout="30" throwontimeout="no">
<cfset Session.MM_Username="">
<cfset Session.MM_UserAuthorization="">
</cflock>
<cfset MM_logoutRedirectPage="index.cfm">
<cfif MM_logoutRedirectPage EQ "">
<cfset MM_logoutRedirectPage=CGI.SCRIPT_NAME>
</cfif>
<cfset MM_logoutQuery=ListDeleteAt(CGI.QUERY_STRING,ListContainsNoCase(CGI.QUERY_STRING,"MM_logout=","&"),"&")>
<cfif MM_logoutQuery NEQ "">
<cfif Find("?",MM_logoutRedirectPage) EQ 0>
<cfset MM_logoutRedirectPage=MM_logoutRedirectPage & "?" & MM_logoutQuery>
<cfelse>
<cfset MM_logoutRedirectPage=MM_logoutRedirectPage & "&" & MM_logoutQuery>
</cfif>
</cfif>
<cflocation url="#MM_logoutRedirectPage#" addtoken="no">
</cfif>
<cfset CurrentPage=GetFileFromPath(GetBaseTemplatePath())>
<cfif IsDefined("FORM.loginfield")>
<cfset MM_redirectLoginSuccess="table/landing_page.cfm?user_id=#rs_user.user_id#">
<cfset MM_redirectLoginFailed="#CurrentPage#?loginfailed=True&loginfield=#form.loginfield#">
<cfset variables.blnAllowLogin=false>
<cfset variables.isLocked=false>
<!--- lets find the user --->
<cfquery name="qryUserAttempts" datasource="source">
SELECT
user_id,
dateLocked,
failedLoginAttempt
FROM
table
WHERE
username=<cfqueryparam value="#FORM.loginfield#" cfsqltype="cf_sql_varchar" maxlength="255">
</cfquery>
<cfif qryUserAttempts.recordcount>
<cfif isDate(qryUserAttempts.dateLocked)>
<cfset intMinSinceLocked=DateDiff("n",qryUserAttempts.dateLocked,now())>
<!--- number of mins to lock (set to 5) --->
<cfif intMinSinceLocked GT 5>
<cfset variables.blnAllowLogin=true>
<cfelse>
<cfset variables.isLocked=true>
</cfif>
<cfelse>
<cfset variables.blnAllowLogin=true>
</cfif>
<cfelse>
<cfset variables.blnAllowLogin=true>
</cfif>
<cfif variables.blnAllowLogin>
<cfquery name="MM_rsUser" datasource="source">
SELECT user_id, username, password
FROM table
WHERE username=<cfqueryparam value="#FORM.loginfield#" cfsqltype="cf_sql_varchar" maxlength="255">
AND password=<cfqueryparam value="#FORM.password#" cfsqltype="cf_sql_varchar" maxlength="255">
</cfquery>
<cfif MM_rsUser.RecordCount>
<cflock scope="Session" timeout="30" type="Exclusive">
<cfset Session.MM_Username=FORM.loginfield>
<cfset Session.MM_UserAuthorization=MM_rsUser.user_id[1]>
</cflock>
<cfset MM_redirectLoginSuccess="table/landing_page.cfm?user_id=#rs_user.user_id#">
<cfquery name="qryUserAttemptsSuccessful" datasource="source">
UPDATE table
SET
failedLoginAttempt=0
,dateLocked=NULL
WHERE
user_id=<cfqueryparam value="#qryUserAttempts.user_id#" cfsqltype="cf_sql_integer">
</cfquery>
<cflocation url="#MM_redirectLoginSuccess#" addtoken="no">
<!--- <cfelse>
<cfif ArrayLen(Session.MM_rsUser.attempts) GTE 3><h2>You've exceeded your login attempts. Please try again later.</h2>
<cfabort>
<cfelse>
<cfset ArrayAppend(Sessionm.MM_rsUser.attempts,Now())>
</cfif> --->
<cfelse>
<cfset variables.failedLoginAttempt="">
<cfif qryUserAttempts.recordcount>
<cfif isNumeric(qryUserAttempts.failedLoginAttempt)>
<cfset variables.failedLoginAttempt=qryUserAttempts.failedLoginAttempt+1>
<cfelse>
<cfset variables.failedLoginAttempt=1>
</cfif>
<cfquery name="qryUserAttempts" datasource="source">
UPDATE table SET
failedLoginAttempt=<cfqueryparam value="#variables.failedLoginAttempt#" cfsqltype="cf_sql_integer">
<cfif variables.failedLoginAttempt GTE 3>
,dateLocked=<cfqueryparam value="#now()#" cfsqltype="cf_sql_timestamp">
</cfif>
WHERE
user_id=<cfqueryparam value="#qryUserAttempts.user_id#" cfsqltype="cf_sql_integer">
</cfquery>
</cfif>
<cflocation url="#MM_redirectLoginFailed#&failedLoginAttempt=#variables.failedLoginAttempt#" addtoken="no">
</cfif>
<cfelse>
<cflocation url="#MM_redirectLoginFailed#&accountlocked=true" addtoken="no">
</cfif>
<!--- End code for handling failed login attempts
<cfif IsDefined("URL.accessdenied") AND true>
<cfset MM_redirectLoginSuccess=URL.accessdenied>
</cfif>
<cflocation url="#MM_redirectLoginSuccess#" addtoken="no">
</cfif>
<cflocation url="#MM_redirectLoginFailed#" addtoken="no">
<cfelse> --->
</cfif>
<cfset MM_LoginAction=CGI.SCRIPT_NAME>
<cfif CGI.QUERY_STRING NEQ "">
<cfset MM_LoginAction=MM_LoginAction & "?" & XMLFormat(CGI.QUERY_STRING)>
</cfif>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Microdata markup added by Google Structured Data Markup Helper. -->
<html xmlns="http://www.w3.org/1999/xhtml" prefix="og: http://ogp.me/ns#">
<head>
<title>login</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style>
#target-content {
position: fixed;
top: 0;
right: 0;
bottom: 0;
left: 0;
pointer-events: none;
opacity: 0;
-webkit-transition: opacity 200ms;
transition: opacity 200ms;
z-index:3000;
}
#target-content:target {
pointer-events: all;
opacity: 1;
}
#target-content #target-inner {
position: absolute;
display: block;
padding-left: 30px;
padding-right:48px;
padding-top:30px;
padding-bottom:48px;
line-height: 1.8;
width: 45%;
top: 50%;
left: 50%;
-webkit-transform: translateX(-50%) translateY(-50%);
-ms-transform: translateX(-50%) translateY(-50%);
transform: translateX(-50%) translateY(-50%);
box-shadow: 0px 12px 24px rgba(0, 0, 0, 0.2);
background: white;
color: #34495E;
}
#target-content #target-inner h2 { margin-top: 0; }
#target-content #target-inner code { font-weight: bold; }
#target-content a.close {
content: "";
position: absolute;
top: 0;
right: 0;
bottom: 0;
left: 0;
background-color: #000;
opacity: 0.7;
-webkit-transition: opacity 200ms;
transition: opacity 200ms;
}
#target-content a.close:hover { opacity: 0.7; }
input[type=submit] {
-webkit-appearance: none;
}
.button_login {
font: 16px/22px "Open Sans", Arial, sans-serif;
display: inline-block;
color: #FFF;
text-transform: uppercase;
display:inline-block;
padding:12px 20px 12px 23px;
font-weight:500;
text-decoration:none;
border:none;
position:relative;
z-index:1;
background-color: #77bc1f;
}
.button_login:hover {
text-decoration:none;
background-color: #7d868c;
color:#fff;
}
</style>
</head>
<body>
<h2 style="text-align:left;">LOGIN</h2>
<cfif IsDefined("URL.loginfailed")>
<h5 style="text-align:left;">Authentication failed. <br />Please try again.</h5>
</cfif>
<cfif StructKeyExists(URL,"accountlocked")><h5 style="text-align:left;">You've exceeded your login attempts.<br />Please try again later.</h5></cfif>
<form id="loginform" name="loginform" method="POST" action="<cfoutput>#MM_loginAction#</cfoutput>">
<h5 style="margin-top:20px; color:#686868; margin-bottom:5px;" >Username: </h5>
<input name="loginfield" type="text" id="loginfield" style="font-size:18px; font-weight: 300; width:100%; height:30%; border:none; padding-right:10px; padding-left:10px; padding-top:5px; padding-bottom:5px; position:relative; z-index:1; font-family: Tahoma, sans-serif; background: #f5f6f6; color:#7d868c; text-align:left; border-radius:0; -webkit-appearance: none;" />
<h5 style="margin-top:20px; color:#686868; margin-bottom:5px;" >Password:</h5>
<input name="password" type="text" id="password" style="font-size:18px; font-weight: 300; width:100%; height:30%; border:none; padding-left:10px; padding-right:10px; padding-top:5px; padding-bottom:5px; position:relative; z-index:1; font-family: Tahoma, sans-serif; background: #f5f6f6; color:#7d868c; text-align:left; margin:0; -webkit-appearance: none; border-radius:0;"/></h4>
<input name="login" type="submit" id="login" value="LOGIN" />
</form>
</body>
</html>