cfloginuser

Identifies an authenticated user to ColdFusion. Specifies the user ID and roles. Used within a cflogin tag.

ColdFusion MX 6.1: Changed behavior: if the Session scope is enabled, and the cfapplication tag loginStorage attribute is set to Session, the login remains in effect until the session expires or the user is logged out by the cflogin tag.

Attribute	Req/Opt	Description
name	Required	A username.
password	Required	A user password.
roles	Required	A comma-delimited list of role identifiers. ColdFusion processes spaces in a list element as part of the element.

Used inside the cflogin tag to identify the authenticated user to ColdFusion. After you call this function, the GetAuthUser and IsUserInRoles return the user name and role information.

Note: By default, the user information is stored as memory-only cookies. The cfapplication tag can specify that login information be stored in the Session scope.

Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.

Comments

andremoh said on Sep 26, 2003 at 2:27 AM :

"the login remains in effect until the session expires or the user is logged out by the cflogin tag"

I am confused how the user is logged out by the cflogin tag? is it supposed to be the cflogout tag?

jrunrandy said on Sep 26, 2003 at 5:37 AM :

You are correct. It should say cflogout.

fstrevisan said on Feb 17, 2004 at 4:30 PM :

Where is the example? It should be great to have some example, particularly cause this is a new tag...

halL said on Feb 18, 2004 at 6:52 AM :

The example is on the cflogin page.
To see it, click the left-arrow at the top or bottom of the page, or the text link near the bottom of the text on this page.

toniu27 said on May 19, 2004 at 8:47 PM :

can <cfloginuser> be used outside of <cflogin> block?

If browser does not enable memory-only cookie, <cflogin> get work or not? (before and after mx6.1)?

jrunrandy said on May 20, 2004 at 5:46 AM :

Yes, you can use cfloginuser outside of cflogin, but it it only applies for the life of the request: See http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/appsec11.htm#wp1139097 for more information

You can use cookie scope or session scope to maintain login information. See http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/appsec10.htm for more information.

ViLi said on Aug 16, 2004 at 10:10 AM :

I can use the getAuthUser() and IsUserInRole(roles) to get the username and to check whether the user is a member of a particular role.

But.. I need to get the entire list of roles that a logged in user is a member of. There ought to have been a function called getAuthUserRoles() for this, but there isn't. The list of roles is stored in server memory - how can I retrieve that list??

DSole said on Sep 16, 2004 at 11:35 PM :

Its worth mentioning that when checking for multiple roles,
isUserInRole checks for role1 AND role2 AND role3 etc, not OR

-ian said on Sep 23, 2004 at 12:49 PM :

It should also be noted, the basics:
1) getAuthUser() requires the cflogin.
Calls: <cflogin><cfoutput>#GetAuthUser()#</cfoutput>

2) Roles: Does not require <cflogin>. (Below is just a summary of Space sensitive already mentioned). Different roles are seporated by commas, but should not have spaces after the commas; otherwise, the space is required for testing it, for the space is included in that role name.
Calls: <cfif IsUserInRole("[role,role...]")> or <cffunction name="ex" roles="[role,role...]">
Ex: <cfif IsUserInRole("admin,webdept")>do something...</cfif>

?- My question is if by default its in the session scope should calls to be it use the cflock (Readonly for verification tests, and Exclusive for setting)?

-ian said on Sep 23, 2004 at 1:43 PM :

sorry, both require the <cflogin> tag...

samihoda2 said on Sep 27, 2004 at 11:58 AM :

What is the max length of the roles parameter? It seems to fails if there are too many roles...

cf_Amir said on Nov 25, 2004 at 1:23 PM :

what is the password attribute for ?!!

I user the user name and password to validate the user by a database, If it was valid then I run cfloginuser tag to login the user. What does cfloginuser need the password for?

halL said on Dec 2, 2004 at 1:54 PM :

The ColdFusion uses the cfloginuser password attribute to generate a unique ID for the user.
The password attribute value does not have to be the user's true password, but must be a string that is unique among all users.

-r- said on Dec 10, 2004 at 7:11 PM :

halL said on Dec 2, 2004 at 1:54 PM :

"The ColdFusion uses the cfloginuser password attribute to generate a unique ID for the user.
The password attribute value does not have to be the user's true password, but must be a string that is unique among all users."

which contradicts the documentation for cflogin:

"A request that uses NTLM or Digest authentication. In this case, the username and password are hashed using a one-way algorithm in the Authorization header; ColdFusion gets the username from the web server and sets the cflogin.password value to the empty string."

So how can an empty string password be unique among all users?

halL said on Dec 16, 2004 at 10:58 AM :

I was incorrect in saying that the password attribute must be a unique string.
The password and name attributes are used together to generate a unique ID.
Therefore, if all name attributes are unique, you can use a value such as the empty string as the cflogin password attribute.

Soetji said on Jun 2, 2005 at 11:40 AM :

It seems that GetAuthUser() and IsUserInRoles() work only outside <cflogin>...</cflogin>. You can't use them right after <cfloginuser> before </cflogin>. Is this correct?

jrunrandy said on Jun 28, 2005 at 12:35 PM :

Correct. I think the reason for this is that the code within cflogin only executes the first time. That is, once the user is logged in, ColdFusion doesn't go into the cflogin block.