Setting up a login form / session authentication and directory protection in Lucee

Hello, friends,

I am delighted to be working with Lucee. I am in the process of moving several CFML web sites from ACF to Lucee. I have a very basic question regarding which I hope someone here can give me advice.

I need to set up a simple login form for Lucee, that includes session authentication and directory protection. (For example, I want to protect the /admin/ directory, allowing only authorized logins to access files in that directory.)

The login form that I use with ACF is about ten years old, and does not seem to work with Lucee. I would like to create a new one, using methods that work with Lucee.

Can someone point me at a HOWTO, or a good example, or give me any examples?

Thank you for any advice.

best from Eric

ColdFusion Security Guide on CFDocs has information on code security, including Authentication and Session Management which you may find helpful in pursuit of your goal.

If you’re looking for a head start on it using the fw/1 framework then please have a look at the Framework One Secure Auth GitHub project which has all the same basic code I outlined in those guides (and then some) wrapped up and ready to go. If you’re using CommandBox you can also just use box install fw1-sa to install it.

HTH

– Denny

Dear Denny,

That is a really helpful reply. Thank you for that; I will take a look now into the resources you have recommended. I am going to do as much of this as I can on my own; I might come back with specific questions, if that is OK. =)

Wishing you a great day.

Eric

Hey Eric,

Absolutely, if you have any questions feel free to give me a shout. I’m happy to help!

– Denny

Dear Denny,

Wow! The Framework 1 framework looks very useful, and really impressive. I don’t have Commandbox on my server, and at this point I am afraid I will not have time to install and configure a framework. I’m a full-time dad these days. =) Mostly I am trying to get an old login form that works well on Adobe ColdFusion 11, to work in Lucee 5.1. I’ve been staring at this code for a while now, and reviewing Lucee documentation, and doing a lot of searching for clues. I don’t get an error when I process the login form; the login form, instead, simply refreshes itself on the page.

It seems like pretty simple code; it’s based on the CF 9 WACK.

If you have a minute to consider this problem: Do you see anything here that will not work in Lucee?

LoginForm.cfm:

<form name="LoginForm" method="post" class="ebwebworkForm">

<ul>
 <li>
  <label for="UserEmail">Username:</label>
 
 <input autofocus required
 type="text"
 name="UserEmail"
 id="UserEmail"
 size="30"
 value=""
 maxlength="256"
 tabindex="1" />
        <span class="form_hint">Enter your username.</span> 
               
</li> 

 <li>
  <label for="UserPassword">Password:</label>


 <input required
 type="password"
 name="UserPassword"
 id="UserPassword"
 size="30"
 value=""
 maxlength="256"
 tabindex="2" />

        <span class="form_hint">Enter your password.</span> 
               
</li> 


    <li>
   <button name="doLogin" type="submit" class="green" tabindex="3">Click to log in.</button>

</li>
    
    
    </ul>
    </form>

application.cfc:

<!--- Filename: Application.cfc --->

<cfcomponent output="false">

  <!--- Name the application. --->
  <cfset this.name="OSM/VISTA Rural Volunteers">
  
<cfset this.scriptProtect = "No">
  
  <cfset this.applicationTimeout = CreateTimeSpan(0,0,360,0)>
  
  <!--- Turn on session management. --->
  <cfset this.sessionManagement="true">
  
  <!--- Set session timeout period --->
  <cfset this.sessionTimeout = CreateTimeSpan(0,0,360,0)>

  <cfset this.clientManagement = "false">
  
<!--- function: onApplicationStart --->
<cffunction name="onApplicationStart" output="false" returnType="void">

<!--- set datasource in Lucee --->   
<cfset this.datasources["ruralvolunteer"] = {
	  class: 'com.microsoft.sqlserver.jdbc.SQLServerDriver'
	, bundleName: 'mssqljdbc4'
	, bundleVersion: '6.0.7728.100'
	, connectionString: '[redacted]:1433;DATABASENAME=rural-volunteers;sendStringParametersAsUnicode=true;SelectMethod=direct'
	, username: [redacted]
	, password: "encrypted:4a42baff878f3a385ec931754af63edc772fe636023553b73e7780c5610b3dd000d4b1efb0c088fb141dd5759b1f78c2bf34cec3f12f3b89"
	
	// optional settings
	, blob:true // default: false
	, clob:true // default: false
	, connectionLimit:10 // default:-1
	, timezone:'US/Eastern'
};>
    
    
<!--- Set up Application variables. Locking the Application scope is not necessary in this method. --->
		<cfset Application.configured = 1>
		<cfset Application.datetimeConfigured = TimeFormat(Now(), "hh:mm tt") & "  " & DateFormat(Now(), "mm.dd.yyyy")>
		<cfset Application.currentSessions = 0>
  
  </cffunction> 
  
   
    <cffunction name="clearSessionVariables" returntype="void">
      <!--- defined all session variables, so they will always exist ---->
      <cfset session.auth = structNew()>
      <cfset session.auth.isLoggedIn  = false>
      <cfset session.auth.UserID  = "">
      <cfset session.auth.Title   = "">
      <cfset session.auth.FirstName   = "">
      <cfset session.auth.MiddleInitial   = "">
      <cfset session.auth.LastName    = "">
      <cfset session.auth.Address    = "">
      <cfset session.auth.City    = "">
      <cfset session.auth.State    = "">
      <cfset session.auth.ZIP    = "">
      <cfset session.auth.Telephone   = "">
      <cfset session.auth.UserEmail    = "">
      <cfset session.auth.UserPassword    = "">
      <cfset session.auth.UserRoleID  = "">
      <cfset session.auth.lastError  = "">
  </cffunction>
  
  <cffunction name="onSessionStart" returntype="void">
 <!--- define all session variables, so they will always exist ---->
      <cfset clearSessionVariables()>
  </cffunction>
  

<!--- function: onRequestStart ---> 

<cffunction name="onRequestStart">
<cfargument type="String" name="targetPage" required="true" /> 

<!--- All of these folders/top level files require a login, specific roles are addressed below ---->  

<cfset var securefolders = "admin">  

<cfset var currentFolder = listFirst(cgi.script_name,"/")>
<cfif currentFolder contains ".">
    <cfset currentFolder = "root">
</cfif> <!--- the user's current location ---->  


<!--- process login credentials --->

 <!--- begin cfif isDefined("form.UserEmail") and isDefined("form.UserPassword") ---> 
    <cfif isDefined("form.UserEmail") and isDefined("form.UserPassword") and isDefined("form.doLogin")>
     
   
         <!--- if the check box to remember UserEmail was checked, then make a cookie for it ---> 
                <cfif isDefined("form.SaveUserEmail") and form.SaveUserEmail is "Yes"> 
          <cfcookie name="SaveUserEmail" value="#form.UserEmail#" expires="7"> 
        </cfif> 
         
        <!--- user is attempting to log in, so process the login request ----> 
        <cfif NOT checkLogin(form.UserEmail, form.UserPassword)> 
           <cfinclude template="LoginError.cfm"> <!--- login failed, so show login error form ----> 
           <cfreturn false>  
           <!--- close cfif NOT checkLogin(form.UserEmail, form.UserPassword) ---> 
        </cfif> 
    <!--- close cfif isDefined("form.UserEmail") and isDefined("form.UserPassword") and isDefined("form.doLogin") ---> 
    </cfif> 
 
<!--- /process login credentials --->


<cftry>

<!--- test for access to secureFolders --->

<cfif listFindNoCase(secureFolders, currentFolder)>  <!---- are we in a secure area? ---> 
     
    <cfif session.auth.isLoggedIn is False> <!--- This is a secure area, if the user is not logged in, go to login page ---->  
           <cfinclude template="LoginForm.cfm">
            <cfthrow message="Please log in with proper credentials to access this area.">
           <cfabort>  
       <cfelse> <!--- the user is logged in, then check roles ---->  
           <cfswitch expression="#currentFolder#">  
              <cfcase value="root">  
                  <cfif listFind("1",session.auth.UserRoleID) eq 0> <!---- role 1 has access to root --->  
                      <cfinclude template="LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfcase value="admin">  
                  <cfif listFind("1,3",session.auth.UserRoleID) eq 0>  <!---- roles 1, 3 have access to admin --->  
                      <cfinclude template="LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfdefaultcase> <!---- all other secure folders ---->  
              </cfdefaultcase>  
           </cfswitch>  
       </cfif> <!---- end if user is logged in or not ---->  
    </cfif>  <!---- end if user is in a secure area or not ---->  
    
    <!--- /test for access to secureFolders --->
         
      <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>

    
    
<!--- a couple of database protections --->         
         
<!--- if query_string contains cast(, then abort! --->
    <cfif cgi.query_string contains "cast(">
      <cfabort>
    </cfif>
    
<!--- if query_string contains replace(, then abort! --->                                              
    <cfif cgi.query_string contains "replace(">
      <cfabort>
    </cfif>

   </cffunction>
  <!--- close function: onRequestStart --->
 
 
 <!--- begin cfif isDefined("form.doLogin") --->
    <cfif isDefined("form.doLogin")>
    
     
<!--- begin function checkLogin --->
<cffunction name="checkLogin">

  <cfargument name="p_UserEmail" required=false default="" />
  <cfargument name="p_password" required=false default="" />

  <cfset var UserPassword = trim(arguments.p_password)>
  <cfset var UserEmail     = trim(arguments.p_UserEmail)>
  <cfset var getUser = "">

  <cftry>
      <cfif len(UserPassword) eq 0 or len(UserEmail) eq 0>
         <cfthrow message="Please enter Email and Password">
      </cfif> 
    
      <cfquery name="getUser" datasource="ruralvolunteer">
       SELECT UserID, FirstName, UserRoleID, UserEmail, UserPassword
        FROM ruralUsers
       WHERE UserEmail = <cfqueryparam cfsqltype="cf_sql_varchar" value="#UserEmail#" maxlength="255"> 
      </cfquery>
      <cfif getuser.recordCount eq 0>
        <cfthrow message="Incorrect email address and/or password. Be sure to enter the correct, original email address with which you registered. Please type your password carefully.">
      <cfelseif getUser.UserPassword is not UserPassword>
        <cfthrow message="Invalid Password.">
       </cfif>
    
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.isLoggedIn = "Yes">
      <cfset SESSION.auth.UserID     = getUser.UserID>
      <cfset SESSION.auth.FirstName  = getUser.firstName>
      <cfset SESSION.auth.UserRoleID = getUser.UserRoleID>
      <cfset SESSION.auth.UserEmail  = getUser.UserEmail>
      <cfset SESSION.auth.lastError  = "">
      

 <!--- Now that user is logged in, send her to web root --->

 <cflocation url="/admin/managePages.cfm">

      
      <cfreturn true>
      
      
  <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>
    
</cffunction>
<!--- close function checkLogin --->

      <!--- close cfif isDefined("form.doLogin") --->
    </cfif>


</cfcomponent>

Thank you again for any ideas or insight. I really appreciate your time. All best,

Eric

Based on your description of the problem, I’d assume that session.auth.isLoggedIn is false here:

<cfif listFindNoCase(secureFolders, currentFolder)>  <!---- are we in a secure area? ---> 
    <cfif session.auth.isLoggedIn is False> <!--- LIKELY FALSE HERE ---->  
           <cfinclude template="LoginForm.cfm"> <!--- SO SHOWS THE LOGIN FORM AGAIN --->
            <cfthrow message="Please log in with proper credentials to access this area.">
           <cfabort>  
       <cfelse> 

Without diagnosing and resolving the issue for you (wink) I’d suggest a few things…

First, remove the cfif around the checkLogin() function - it’s pointless to wrap a function definition in a cfif and, largely, what I suspect could be an issue in Lucee (ACF is more forgiving of such things)…

Second, make sure you’re locking the session scope anytime you want to clear or set a session variable. Might not be the problem, but you should always lock shared scopes when writing to them to prevent race conditions.

Third, instead of re-including the login form in the code above, dump out session.auth and see if it’s being set properly in the checkLogin() function.

If it’s not, then start dumping out variables as you process a login to make sure that each step of the process is doing what you expect it to do. For instance, break down each function and each cfif and isolate where the problem occurs.

From there you can better figure out next steps. As of right now you’re just staring at the code expecting it to work I’m guessing. We’ve all been there and done that… next step is to start breaking the code down into smaller and smaller pieces until you find the culprit.

HTH

– Denny

Dear Denny,

This makes a lot of sense to me. I proceeded as you suggested:

First, remove the cfif around the checkLogin() function - it’s pointless to wrap a function definition in a cfif and, largely, what I suspect could be an issue in Lucee (ACF is more forgiving of such things)

Got it. I will need to research this some more, for my own education, but I did as you suggested. However, thinking about it, what you said makes intuitive sense, though I am not quite sure how to express it here.

Second, make sure you’re locking the session scope anytime you want to clear or set a session variable.

Got it. I did some research on CFLOCK at cflock Code Examples and CFML Documentation – and that makes sense to me, and I applied the correct tag syntax (I believe).

I’d assume that session.auth.isLoggedIn is false here

Hmmm. That sounds right. To test it, I did this:

<cfif listFindNoCase(secureFolders, currentFolder)>  <!---- are we in a secure area? ---> 
     
    <cfif session.auth.isLoggedIn is False> <!--- This is a secure area, if the user is not logged in, go to login page ---->  
           <cfinclude template="hello.cfm">
            <cfthrow message="Please log in with proper credentials to access this area.">
           <cfabort>

So, when I process the login form, I am guessing I should be sent to hello.cfm. I will upload the new application.cfc, and a file called hello.cfm, and try it now …

Hmm, no – I am still sent back to loginform.cfm when I try to log in.

Third, instead of re-including the login form in the code above, dump out session.auth and see if it’s being set properly in the checkLogin() function.

I think this is my next step. I think I need to use CFDUMP to examine the variable sesson.auth. Doing some review of CFDUMP … cfdump Code Examples and CFML Documentation … I believe the tag syntax to use is:

<cfdump var="#session.auth#" label="Session.Auth output" expand="yes">

I will try this, and I am very curious to see the output. I have a silly question, though – if you have time. =) Where should I put <cfdump var="#session.auth#" label="Session.Auth output" expand="yes"> ?

At the end of loginform.cfm?

Thank you again for your kind help. I’m really grateful, and I am pretty excited about working with Lucee. Hope you are great.

Eric

Dear Denny,

Good morning. =)

I’ve been working on this task. I have refined my CFDUMP tag as follows:

<!--- testing with cfdump ---> 
<cfdump var="#session.auth#"
output = "browser"
format = "html"
abort = "true"
label = "test session.auth"
metainfo = "yes"
expand = "yes"
showUDFs = "yes">
<!--- /testing with cfdump --->

I also see that this CFDUMP tag does not work in loginform.cfm, but must(I think?) be placed in application.cfc itself.

I have placed this CFDUMP in various places in application.cfc, but I get no visible result. I process the login form, and I still see just the login form.

I’m confused, and doing more research. Is CFDUMP the correct tool to use, at this point? Is the CFDUMP tag syntax set up correctly? Where should this tag be placed? And so on. I am searching in Lucee Docs and on CFDocs for more clues. =)

Also, I know you must be very busy. I feel like I have already made a lot of progress, but I have also used up a lot of your time. I really appreciate your expertise, time, and generous help.

best from Eric

@Eric_Bourland, you should be able to place the CFDUMP tag pretty much anywhere you like and all you really need is the “var” attribute and it is will give you a dump of the contents of the variable at that point in time during the script process, so just place:

<cfdump var="#session.auth#">

where ever you want to see the value contained within that variable at that point in time. Also, I would normally, depending on requirements, then stop the script from processing further by adding a <cfabort> right after it. So:

<cfdump var="#session.auth#">
<cfabort>

You can also do <cfdump var="#session#"> to see the entire contents of the session structure, which might be helpful.

Kind regards,

Andrew.

Dear Andrew,

Thank you for your note! After some experimenting, I found that I could just put this:

<cfdump var="#session#">
<cfabort>

into loginform.cfm. I found that when I placed this CFDUMP into application.cfc, then I could not see any output.

I also found that var=“#session.auth#” threw an error, because Lucee said there is no key named “auth”.

I’m learning a lot. =)

The output of the CFDUMP is a little cryptic:

Session Scope (Memory)
cfid
string efbb5317-0537-41b2-9d5a-6751f984fd85
cftoken
string 0
lastvisit
Date Time (America/New_York)
{ts ‘2017-04-09 15:39:44’}
sessionid
string _efbb5317-0537-41b2-9d5a-6751f984fd85_0
timecreated
Date Time (America/New_York)
{ts ‘2017-04-09 15:35:56’}
urltoken
string CFID=efbb5317-0537-41b2-9d5a-6751f984fd85&CFTOKEN=0

And I am not quite sure what to make of this, or what changes I should make in application.cfc as a result of this output.

Is there anything else I can do to diagnose this weird problem with my login form?

I am very grateful for any advice you have time to give me. All best,

Eric

The above is the reason you get no output when placed in Application.cfc

With regards to why it is not working, it is hard to say without spending some time trying it out, which I will see if I can find time to do later, but the code looks pretty messy, I’m thinking it is probably an error within the try/catch blocks but that is just a guess from a quick look.

Kind regards,

Andrew.

Dear Andrew,

Good morning! That was a very helpful note. This morning I have been doing a lot of reading – about cfcomponent and cffunction, for starters. I realize it has been a few years since I looked at this code. Yes, it is messy code, and I hope I have imposed some order.

I have a few thoughts and some questions – if you have a moment to consider them. =)

1. Do I need this cfargument:
   <cfargument type="String" name="targetPage" required="yes" />
   I am not sure what purpose that serves, and I do not see any other reference to string “targetPage”.

2. I am not sure what the repetition of cfreturns is doing: cfreturn false, and so on; I wonder if this repetition is confusing Lucee. I am reading up on cfreturn: cfreturn… but I think I do not understand exactly what cfreturn is doing, here.

3. I added the cfcomponent output=“yes” … but still I do not see output from CFDUMP. I must be doing something fundamentally wrong here.

I append the latest version of my application.cfc. I’m working hard to make this work. I am very grateful for your time. I am sure you have got a bunch of other things to do today. In the meantime I am continuing to do research on my own/ Thank you so much.

best from Eric

<!--- Filename: Application.cfc --->
<!--- based on Application.cfc in CFWACK by R. Camden and N. Weiss --->
<!--- modified December 2010 by Eric B, gdemaria, _agx_ --->
<!--- modified April 2017 by Eric B and patient developers on Lucee Dev forum to work with Lucee --->

<cfcomponent output="true">

<cfset this.name="OSM/VISTA Rural Volunteers">
<cfset this.applicationTimeout = CreateTimeSpan(0,0,360,0)>
<cfset this.sessionTimeout = CreateTimeSpan(0,0,360,0)>
<cfset this.sessionManagement="true">
<cfset this.clientManagement = "false">
  
<!--- begin function: onApplicationStart --->
<cffunction name="onApplicationStart" output="no" returntype="void">

<!--- set datasource in Lucee --->   
<cfset this.datasources["ruralvolunteer"] = {datasource connection parameters};>
 
      
<!--- Set up Application variables. Locking the Application scope is not necessary in this method. --->
		<cfset Application.configured = 1>
		<cfset Application.datetimeConfigured = TimeFormat(Now(), "hh:mm tt") & "  " & DateFormat(Now(), "mm.dd.yyyy")>
		<cfset Application.currentSessions = 0>
  
  </cffunction> 
  
   
    <cffunction name="clearSessionVariables" returntype="void">
      <!--- define all session variables, so they will always exist ---->
      <cfset session.auth = structNew()>
      <cfset session.auth.isLoggedIn  = false>
      <cfset session.auth.FirstName   = "">
      <cfset session.auth.UserEmail    = "">
      <cfset session.auth.UserPassword    = "">
      <cfset session.auth.UserRoleID  = "">
      <cfset session.auth.lastError  = "">
  </cffunction>
  
  <cffunction name="onSessionStart" returntype="void">
      <!--- define all session variables, so they will always exist ---->
      <cfset clearSessionVariables()>
  </cffunction>
  

<!--- function: onRequestStart ---> 

<cffunction name="onRequestStart">
<cfargument type="String" name="targetPage" required="true" /> 

    <!--- All these folders/top level files require a login, specific roles are addressed below ---->  
    <cfset var securefolders = "admin,manage">  
    <cfset var currentFolder = listFirst(cgi.script_name,"/")> <!--- the user's current location ---->  

    <cfif isDefined("form.userEmail") and isDefined("form.userPassword") and isDefined("form.doLogin")>
        <cfif NOT checkLogin(form.userEmail, form.userPassword)> 
           <cfinclude template="LoginForm.cfm"> <!--- login failed, so show login form ----> 
           <cfreturn false>  
        </cfif> 
    </cfif> 
 
<cftry>

     <cfif listFindNoCase(secureFolders, currentFolder)>  <!---- are we in a secure area? --->  
       <cfif session.auth.isLoggedIn is False> <!--- This is a secure area, if the user is not logged in, go to login page ---->  
           <cfinclude template="LoginForm.cfm">
            <cfthrow message="Please log in with proper credentials to access this area.">
           <cfabort>  
       <cfelse> <!--- the user is logged in, then check roles ---->  
           <cfswitch expression="#currentFolder#">  
              <cfcase value="admin">  
                  <cfif listFind("1",session.auth.UserRoleID) eq 0> <!---- role 1 has access to admin --->  
                      <cfinclude template="LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfcase value="manage">  
                  <cfif listFind("1,7",session.auth.UserRoleID) eq 0>  <!---- roles 1, 7 have access to manage --->  
                      <cfinclude template="LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfdefaultcase> <!---- all other secure folders ---->  
              </cfdefaultcase>  
           </cfswitch>  
       </cfif> <!---- end if user is logged in or not ---->  
    </cfif>  <!---- end if user is in a secure area or not ---->  
         
      <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>
    
<cfinclude template="blockFunctions.cfm"> <!--- include some database protections ---> 

   </cffunction>
  <!--- close function: onRequestStart --->
 
 <cfif isDefined("form.doLogin")> <!--- begin cfif isDefined("form.doLogin") --->

<!--- begin function checkLogin --->
<cffunction name="checkLogin">

  <cfargument name="p_UserEmail" required=false default="" />
  <cfargument name="p_password" required=false default="" />

  <cfset var UserPassword = trim(arguments.p_password)>
  <cfset var UserEmail = trim(arguments.p_UserEmail)>
  <cfset var getUser = "">

  <cftry>
      <cfif len(UserPassword) eq 0 or len(UserEmail) eq 0>
         <cfthrow message="Please enter UserEmail and password">
      </cfif> 
    
<cfquery name="getUser" datasource="ruralvolunteer">
	SELECT UserID, FirstName, UserRoleID, UserEmail, UserPassword
	FROM ruralUsers
	WHERE UserEmail = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.UserEmail#" maxlength="255"> 
</cfquery>
      <cfif getuser.recordCount eq 0>
        <cfthrow message="Incorrect email address and/or password. Be sure to enter the correct email address with which you registered.">
      <cfelseif getUser.UserPassword is not UserPassword>
        <cfthrow message="Invalid Password.">
       </cfif>
    
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.isLoggedIn = "Yes">
      <cfset SESSION.auth.FirstName  = getUser.firstName>
      <cfset SESSION.auth.UserRoleID = getUser.UserRoleID>
      <cfset SESSION.auth.UserEmail  = getUser.UserEmail>
      <cfset SESSION.auth.lastError  = "">
      
<cflocation url="/admin/managePages.cfm"> <!--- Now that user is logged in, send her or him to web root --->

      <cfreturn true>

  <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>
    
</cffunction><!--- close function checkLogin --->
</cfif><!--- close cfif isDefined("form.doLogin") --->

</cfcomponent>

p.s. I am making progress with this. For one thing, I learned that, on a linux host, the file must be named Application.cfc, not application.cfc. =) I will keep you posted as I make progress. Thank you again for your help.

Dear friends, this is working now. The solutions:

1. Change application.cfc to Application.cfc.

2. Clean up code a little.

This was a great opportunity to learn a lot about Lucee; review some CFML basics; and tidy up code in an application.

Thank you all again for your patient help. I gave you some credit in the template development comments at the top. =)

Wishing you all a really great day.

Eric

@Eric_Bourland Glad to hear you have it fixed, I was just about to take another look for you

@Eric_Bourland Also glad you got it figured out! Sorry I fell off the map on this one, but got bogged down in client work this weekend. Thanks @andrew as well for picking up where I left off!

Denny, a fellow on Facebook reminded me that Linux is case-sensitive. =) After I changed application.cfc to Application.cfc, suddenly things began to make sense. Thank you again for your help. Hope you are great. Eric