Building a User‑Friendly Remember‑Me Feature
When visitors log into a ColdFusion‑based website, the experience can be made smoother by letting them choose to stay logged in between visits. The trick behind that convenience is a browser cookie that remembers the user’s credentials or a session key. Cookies are simple key/value pairs that the browser stores locally. Think of them as a small storage box in the user’s computer. When the site is revisited, the box is opened and the values inside are retrieved, allowing the site to identify the user without forcing them to type their username and password again. ColdFusion makes it easy to work with cookies. To create a cookie you assign a value tocfset cookie. = value inside a <cfset> block. The framework automatically writes a Set‑Cookie header to the browser, and on subsequent requests the same cookie is sent back as part of the cfCookie scope. Reading a cookie is just a matter of accessing cfCookie.. The syntax is straightforward, but there are several options that give you control over how long the cookie lives, where it can be read, and whether it’s secure.
One of the most important options is expires. The value you give it determines how long the cookie should stay in the browser. If you set it to a future date, the cookie will remain until that date is reached. If you set it to never, the cookie will never expire as long as the user doesn’t manually delete it. For a “Remember me” feature you typically want the cookie to persist across sessions, so you’ll set expires="never". However, for other cases you might choose a more restrictive time frame.
Another option is httpOnly. When true, the cookie cannot be accessed by client‑side scripts, reducing the risk of cross‑site scripting attacks. Setting httpOnly="true" is a best practice for any cookie that contains sensitive data, like a password or a session identifier.
You can also add path and domain attributes. path limits the cookie to a specific URL path on your domain, while domain allows the cookie to be shared across subdomains. For a simple “Remember me” checkbox you usually don’t need to tweak these, but keep them in mind if you are building a larger application that spans several subdomains.
Below is a concise example of creating a cookie in ColdFusion that stores a username and a flag indicating whether the user wants to be remembered. Notice how the code is wrapped in a <cfif> block that checks whether the user checked the checkbox:
<cfif form.rememberMe>
<cfset cookie.username = form.username</p>
<p>
expires = "never"</p>
<p>
httpOnly = "true"</p>
<p>
path = "/">
</cfif>
<cfif structKeyExists(cookie, "username')>
value attribute of the username input field is automatically filled. Users who have previously opted to stay logged in will see their username pre‑entered, making the login process feel almost instantaneous.
While the code above focuses on the username, many developers store a session ID or a hashed token instead of a plain password. Storing a password in a cookie, even if it’s hashed, is risky. If an attacker gains access to the cookie, they could impersonate the user. The safest approach is to generate a random token when the user checks “Remember me”, store that token in a server‑side database along with the user’s ID, and then set a cookie that holds only the token. On each request you verify the token against the database and, if it matches, you log the user in automatically. This technique adds a layer of security while still delivering a smooth experience.
The “Remember me” feature not only saves time but also encourages repeat visits. By keeping users logged in, you reduce friction and the likelihood that they’ll abandon the site after a single session. Implementing it with ColdFusion’s built‑in cookie handling is a breeze, and the approach scales well from small blogs to large enterprise applications.
Managing Login and Cookie Persistence
Once the groundwork for cookie creation and retrieval is set, the next step is to weave it into the login workflow. The core of this workflow lives in two files:login.cfm, which presents the form to the user, and login_process.cfm, which authenticates the credentials and decides whether to create or clear the cookie.
At the very top of login.cfm you should check whether the user’s browser already holds a cookie that signals an existing session. If the cookie exists, you can skip the form entirely or pre‑populate it, as shown earlier. If the cookie contains a token, you’ll validate it against your database. A quick lookup ensures the token is still valid and associated with an active user account. If the validation succeeds, you can set a server‑side session and redirect the visitor to the protected area of the site immediately.
Here is an illustrative snippet that demonstrates how to perform the pre‑authentication check:
<cfif structKeyExists(cookie, "authToken')>
<cfquery name="qToken" datasource="myDSN'>
SELECT userId, isActive</p>
<p>
FROM UserTokens</p>
<p>
WHERE token =
<cfif qToken.recordCount EQ 1 AND qToken.isActive>
<cfset session.userId = qToken.userId>
rememberMe. When the user submits the form, login_process.cfm receives the data and performs authentication against your user table.
Once the credentials are verified, you create a server‑side session and optionally issue a new token that will be stored as a cookie. The token is a random string of sufficient length (at least 32 characters) to prevent brute‑force guessing. After generating the token, you insert it into the UserTokens table together with the user’s ID, an expiration timestamp, and a flag indicating whether the token is still active.
Below is a compact example of the login processing logic:
<cfif structKeyExists(form, "username") AND structKeyExists(form, "password')>
<cfquery name="qAuth" datasource="myDSN'>
SELECT userId, passwordHash</p>
<p>
FROM Users</p>
<p>
WHERE username =
<cfif qAuth.recordCount EQ 1>
<cfif validatePassword(form.password, qAuth.passwordHash)>
<cfset session.userId = qAuth.userId>
<cfif structKeyExists(form, "rememberMe") AND form.rememberMe EQ "yes'>
<cfset token = generateUUID()>
<cfquery datasource="myDSN'>
INSERT INTO UserTokens (token, userId, createdOn, expiresOn, isActive)</p>
<p>
VALUES (</p><cfqueryparam value="#token#" cfsqltype="cf_sql_varchar'>,</p></p><cfqueryparam value="#qAuth.userId#" cfsqltype="cf_sql_integer'>,</p></p><cfqueryparam value="#now()#" cfsqltype="cf_sql_timestamp'>,</p></p><cfqueryparam value="#dateAdd('d', 365, now())#" cfsqltype="cf_sql_timestamp'>,</p></p><cfqueryparam value="1" cfsqltype="cf_sql_bit'>
)</p></p></cfquery>
<cfset cookie.authToken = token</p>
<p>
expires = "never"</p>
<p>
httpOnly = "true"</p>
<p>
path = "/">
</cfif>
<cflocation url="dashboard.cfm" addtoken="no'>
<cfelse>
<cfelse>
validatePassword function, which should compare the submitted password against the stored hash using a secure algorithm such as PBKDF2, bcrypt, or Argon2. Never store plain text passwords.
If the user does not check the “Remember me” box, the code simply sets the server‑side session and does not create or store a cookie. As soon as the browser is closed, the session is cleared and the next visit will prompt the user for credentials again.
For users who have chosen to be remembered, the cookie is present on every subsequent request. The pre‑authentication check in login.cfm reads the cookie, verifies the token, and logs the user in automatically. If the token is found to be expired or invalid, the cookie is deleted and the user is taken back to the login form.
A clean implementation of the “Remember me” feature in ColdFusion combines the simplicity of cookie handling with the robustness of token‑based authentication. By using a server‑side token that is verified on each request, you keep the user’s experience frictionless while protecting sensitive data. The same code can be adapted for mobile web apps, single‑page applications, or any other context where persistent login is desired.
For more resources on ColdFusion development, visit Colony One On‑Line 
No comments yet. Be the first to comment!