The reason you find no simple examples, well… except for that blasphemous code Adobe still has lying around… is that proper security requires more complex handling.
I will first refer you to ColdFusion Security Guide CFML Documentation, where if you scroll down you’ll find two topics… authentication and sesssion management. That’s about as drop dead simple as secure auth gets, really.
Much of that example code (and more) is implemented in GitHub - ddspringle/framework-one-secure-auth: An example fw/1 application with secure single and two-factor (2FA) authentication and session management functions which could be a jumping off point for a secure authentication system.
That said, there are insecure ways to implement protecting your cfm files. You didn’t really elaborate on what ‘directory’ means… if you mean protecting cfm file within that directory from being executed without logging in, then there are several insecure ways to handle this.
First, your login form can process your login using static user/pass. If you enter the proper user/pass, as defined and compared against in the login processing code, then you get access. For example:
if( form.username eq 'alice' && form.password eq 'bob' ) {
/// they have access, set some session var or cookie
session.isLoggedIn = true;
// OR
cookie.isLoggedIn = true
}
For session management, if could be as simple as putting the following in onRequestStart()
in your Application.cfc
in the directory you wish to protect:
// check that the isLoggedIn session var exists, and is true
if( !structKeyExists( session, 'isLoggedIn' ) || !session.isLoggedIn ) {
// it does not or it is not, force a login
location( 'login.cfm', false );
}
OR
// check that the isLoggedIn cookie exists and is true
if( !structKeyExists( cookie, 'isLoggedIn' ) || !cookie.isLookedIn ) {
// it does not or it is not, force alogin
location( 'login.cfm', false );
}
This is entirely insecure and would be easily hackable. But, if you’re ok with that risk, then the above combination of poor techniques will get you going in the right direction.
That said, I implore you to read the security guide’s auth and session management tutorials, and look over the relevant code in the fw/1 example, to better understand how to go from this insecure solution to the layered approach demonstrated in those places.
If you mean actually protecting a directory of files of any type, then you’re looking at either Basic Auth or NTLM (Windows) auth depending on if you’re serving over Apache or IIS. NTLM auth requires you to auth with a user either in AD or on the system itself (depending on how you configure it) and there are tons of articles on how to do this online already so I won’t go into the gory details here. Both of those have their drawbacks as well and neither is considered very secure.
There is also the <cflogin>
and <cfloginuser>
stuff which I don’t personally use and cannot speak to, but more blasphemous Adobe code on this can be found cflogin.
HTH
Denny