A lot of users are always asking me how they can create a way on their web site that is only allowed to be used by registered users. This is called "User Authentication (Member's Only)" and can be created easily with ColdFusion.

The first thing that you must do is to create a table in your database called "tblAdmins".

Create the following fields in the database table:

Field Name Type
user_id AutoNumber
user_name text
user_pass text

This is where you will have your users login data be default, this will allow you a "location" to verify against.

You will need to create and ODBC connection for this database, to create an ODBC data source, simply open up your ColdFusion administrator ( or contact your ISP. Call the ODBC "userLogin".

This tutorial will require 4 pages to be created.

  • Application.cfm
  • login.cfm
  • login_process.cfm
  • members_only.cfm

The first page that will need to be created is titled "Application.cfm". One thing you must keep in mind with this file, is that it will always be execute before any ColdFusion (.cfm) file. Think of this as the page where you can define things and/or check for things. This will always run before any page, so this is a great place to check to see if a user is logged in. So naturally, this is the place we're putting the following code on :)

Within this page you will create the following code:

	<!--- Create the application --->
    <cfapplication name="MyApp"
        applicationtimeout="#CreateTimeSpan(0,2,0,0)#" />
    <!--- Now define that this user is logged out by default --->
    <CFPARAM NAME="session.allowin" DEFAULT="false" />
    <!--- Now define this user id to zero by default, this will be used later on to access specific information about this user. --->
    <CFPARAM NAME="session.user_id" DEFAULT="0" />
    <!--- Now if the variable "session.allowin" does not equal true, send user to the login page --->
    <!--- the other thing you must check for is if the page calling this application.cfm is the "login.cfm" page and the "Login_process.cfm" page since the Application.cfm is always called, if this is not checked the application will simply Loop over and over. To check that, you do the following call --->
    <cfif session.allowin neq "true">
    	<cfif  ListLast(CGI.SCRIPT_NAME, "/") EQ "login.cfm">
        <cfelseif ListLast(CGI.SCRIPT_NAME, "/") EQ "login_process.cfm">
        	<!--- this user is not logged in, alert user and redirect to the login.cfm page --->
            	alert("You must login to access this area!");

That is all you need in the Application.cfm page. I'll explain the items as best as possible:

The first thing you created was the "cfapplication". This command creates the ability to track users, create session variable and much more. This is needed to keep order within the application. One crucial section of this tag is the value you specify on "sessiontimeout". This is the time that that specifies how long the user will be logged as "Loggedin" before having to re login. This time is only counted if the user does nothing. If your pages are small and do not require large amounts of reading, then 15 minutes should be enough time. However, if your pages contain a lot of text and require lots of reading, then you might have to increase the time specified. The CreateTimeSpan values are as follows:


The next thing you created was a <cfparam>.

What the <cfparam> does is to define a value for a variable if (and only if) that variable doesn't already exist. If that variable does exist, it simply does nothing.

The last thing you created was a way to check on all page to make sure that the user is correctly logged in. It simply checks for a session variable called "session.allowin". If this variable has a value of "TRUE" then that user is logged in, if that variable has a value other than "TRUE" (i.e. "FALSE") then this user is not logged in, send them to the login page.

The next step in this tutorial is the "login.cfm" page.

This page is simply HTML, it doesn't really require any Coldfusion code, here is what it must have:

      <form action="login_process.cfm" method="post">
      		Username: <input type="text" name="user_name" value=""><BR />
            Password: <input type="password" name="user_pass" value=""><BR />
            <input type="submit" name="login_user" value="Log In"><BR />

The login page, will submit the form to the "login_process.cfm" page. That page however, is where the magic takes place. I'll create the entire page, and then come back and explain it.

	<!--- Get all records from the database that match this users credentials --->
    <cfquery name="qVerify" datasource="userLogin">
    	SELECT	user_id, user_name, user_pass
        FROM	tblAdmins
        WHERE user_name = '#user_name#'
        AND	 user_pass = '#user_pass#'

	<cfif qVerify.RecordCount>
    	<!--- This user has logged in correctly, change the value of the session.allowin value --->
        <cfset session.allowin = "True" />
        <cfset session.user_id = qVerify.user_id />
        <!--- Now welcome user and redirect to "members_only.cfm" --->
        	alert("Welcome user, you have been successfully logged in!");
    < cfelse>
    	<!--- this user did not log in correctly, alert and redirect to the login page --->
        	alert("Your credentials could not be verified, please try again!!!");

That is all that I needed on this page. What you're basically doing is as follows:
First you are making a connection to the database with the username/password the user typed in on the "login.cfm" page. You are making a call to the database to look in the "tblAdmins" table for a user with this combination of username/password. if a match is found, then you have a record, if no matches are found, then there are no records.

The next step is to do a <cfif> to see if any records were found. If a record was found, then this user is good, go ahead and log them in. if there are no matches, then this user is no good, keep him out of the members only section.

if the user was good, then you overwrite the existing value of the "session.allowin" variable to "TRUE". Remember that the "Application.cfm" is checking for this value to be anything other than true to make the user log in. Since this now has a value of "TRUE" the user is logged in and therefore, does not need to login once again.

The last page you must create is the "members_only.cfm". This can be anything you want, this is the content that the user is logging in for, so make it good :)

That's it, you now know how to make a user authentication system!
Remember that if you have any questions or problems with this tutorial, you can always contact me directly.

About This Tutorial
Author: Pablo Varando
Skill Level: Intermediate 
Platforms Tested: CF5
Total Views: 329,406
Submission Date: August 19, 2002
Last Update Date: August 25, 2011
All Tutorials By This Autor: 47
Discuss This Tutorial
  • If you have a need of differentiating users that log in (like an end-user or an administrator) pease read this forum thread: http://www.easycfm.com/forums/viewmessages.cfm?Forum=12&Topic=4264

  • That was a great tutorial. I am creating a text based game and was wondering how you would suggest creating the members only page. Like, having another table and using the cfquery/output or just adding on to the current table, but i would image that would get to be quite a large table. :-p

  • Does anybody know how to code an error message after timeout is expired on the application.cfm Currently, under my application.cfm I have set the cfapplication tag to include the sessiontimeout variable. Thanks, Samantha

  • That is what the Application.cfm page does. if the user is NOT logged in, then the member_only.cfm page will not load and the user will be redirected to log in. Please follow the tutorial for more details.

  • hi, how to prevent somebody directly type the member_only.cfm page?

  • You need to enable to Application in your Application.cfm page.. If you need further help, please start a thread on the forums

  • Hi, I used the code but found the page just gives me a error page once the name and password match those on the database. Error Occurred While Processing Request Error Diagnostic Information An error occurred while evaluating the expression: session.allowin = "True" Error near line 11, column 11. -------------------------------------------------------------------------------- Attempt to access a Session variable when session management is not enabled. Use the CFAPPLICATION tag to enable session management. Note: This feature may have been disabled by the site administrator. The error occurred while processing an element with a general identifier of (CFSET), occupying document position (11:5) to (11:36). Date/Time: 05/31/04 00:29:05 Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Remote Address: HTTP Referrer: http://localhost/login/login.cfm

  • Dear all, how to write script for detect last IP or Last Login client in login.cfm

  • Hi, How would i make a registration page using CF ? i can do it in ASP but my server dont support it so ive got to use CF to do it Cheers any response

  • To logout, simply create a page called "logout.cfm" and in that page do this: StructClear(session); Thats it! You now have a logout mechanism on your site! :)


Sponsored By...
Mobile App Development (IOS, Android, Cordova, Phonegap, Objective-C, Java) - Austin, Texas Mobile Apps - Touch512, LLC.