I would like to only protect personal pages on my website (managemypage.cfm, myfavorites.cfm). All other pages will be accessible by whoever, and WILL NOT prompt a login. I know I can include a session variable in my application.cfc file that prompts people to login, but i only want it for two specific pages. What do you suggest... placing the application.cfc in a subdirectory of my site so it only affects those within its directory (managemypage.cfm, myfavorites.cfm)? If I solely use a login validation for specific pages, and ignore the application.cfc code, then it will not start a session for the user. i.e. once the user leaves the page, their personalized info is gone until they re-visit that page, and login again. In a nutshell, this is what I want: 1. An application.cfc that uses sessions, but ONLY prompts users to LOGIN when they try accessing managemypage.cfm and myfavorites.cfm. At this point, their login is validated, and their personal information is returned. 2. Once logged in, every page displays "Welcome #SESSION.user_name#!" in the upper right hand corner. Very important, I do not want a user to be prompted for a login UNLESS he/she is trying to access managemypage.cfm or myfavorites.cfm!
Make sure you put the application file in the root directory. That way your whole site remains secure. To protect only certian pages you just add this code to the ones you want to protect. It goes right at the top of the page to that coldfuions check it out first. <cfif structKeyExists(session, "SESSION VARIABLE NAME") AND session.SESSION VARIABLE NAME NEQ ""> <cfelse> <CFLOCATION URL="../index.cfm"> </Cfif> Code (markup): This will check to see if the user has logged in and that their session variable still contains data. If not then it wont let the page load and sends then user back to your home page.
I recommend that you use some type of application framework such as Mach-II, Model Glue, Fusebox or Coldbox (although I am quite biased toward Mach-II). When you use an MVC event-driven framework such as any of these, then tasks such as the one you are describing are no-brainers by applying filters to specific events. The side benefit is that you will end up with an application that is far more manageable and scalable in the long run.