I found an interesting security bug today in some code at a client's site. (And unlike some other security holes, this was is real.) The problem was that the logon system was letting people in if they had an invalid logon. Users were correctly blocked at first, but as soon as they had an invalid logon, and then reloaded, they were let in. Why? Consider this code and make a guess before I show the answer:

<CFIF NOT ISDefined("Session.ProLoginOK")> <CFLOCATION URL="login/login.cfm" ADDTOKEN="No"> <CFELSEIF Session.ProLoginOK IS ""> <CFLOCATION URL="login/login.cfm" ADDTOKEN="No"> </CFIF>

Figured it out? On an invalid login, the code set session.prologinok to "No". Since "No" defined the variable, and wasn't "", there was no forced logon template run.

Something to watch out for in your own code!