Using CFLOGIN for Authentication of REST Based Queries

A reader sent me an interesting question today. He was building a REST based service and wanted to add authentication. He didn't want to use web server based security. He just wanted to know what username/password the remote person was passing in with their HTTP request.

The first thing he tried was getHTTPRequestData(). This is an interesting, although probably rarely used, function that returns information about the current request.

If you run this function on a request that had authentication information, you can actually see authorization data in the header, but it is not in a readable format.

So on a whim I tried something. On the page getting the request I added:

<cflogin> <cfdump var="#cflogin#"> </cflogin>

This was wrapped inside a cfsavecontent that was being stored to an HTML file so I could see the result. (Remember, I'm testing the result of someone POSTing, so I was firing the page that did the post.) Low and behold - the username and password were there!

I didn't expect it to work as I thought it would only work when the web server explicitly prompted for a username and password, but it seems like CFLOGIN works no matter what when the information is passed. (Of course, it also works if you pass in URL/Form vars with the name j_username and j_password.)

So - maybe CFLOGIN isn't as bad as I said. This is a pretty nice use for it.

Archived Comments

Comment 1 by Patrick Correia posted on 12/14/2006 at 9:30 PM

I didn't know that CFLOGIN would parse the authentication headers like that -- pretty neat.

I might also humbly suggest that an article I wrote for CFDJ has a code sample showing how to parse the authentication information directly out of the header. It's base64 encoded, so you can decode it using a combination of ToBinary() and ToString(). (Thanks Adobe, that's totally obvious.) I guess if CFLOGIN does this automatically, that's probably easiest, unless you care where the authentication info came from.

The article is here:
http://coldfusion.sys-con.c...

And the code sample is here:
http://res.sys-con.com/stor...

Comment 2 by Dave Dugdale posted on 2/12/2009 at 4:10 AM

<cfsavecontent variable="dumpage">
<cfoutput>
<cflogin>
<cfdump var="#cflogin#">
</cflogin>
</cfoutput>
</cfsavecontent>

<cfoutput>
#dumpage#
</cfoutput>

I am trying to troubleshoot why I am getting logged out in my application. I would like to cfdump the cflogin vars to help me find where I am screwing up. But this code doesn't display anything. What other ways can I troubleshoot the cflogin vars?

Comment 3 by Raymond Camden posted on 2/13/2009 at 8:30 PM

It depends on what context you are running the code.

Comment 4 by Dave Dugdale posted on 2/13/2009 at 8:53 PM

Context:

Within my application I am currently logged in and I am running that code above by itself on test.cfm.

Thanks!

Comment 5 by Raymond Camden posted on 2/15/2009 at 8:30 PM

If you are logged in, then you will get nothing. CF only runs code INSIDE cflogin pairs when you aren't logged in.

Comment 6 by Dave Dugdale posted on 2/16/2009 at 4:45 AM

Oh yea, I forgot about that.