Monday, August 07, 2006

cflogin strangeness

I had an issue about a month ago with using cflogin on a site where special cflogin structure was outliving the session. After the session died, I wanted the user to be logged out so they could go back to the login screen and re-establish the session.

The answer seemed to be to set the loginstorage attribute of the cfapplication tag to "session". That way whenever the session timed out, the authentication credentials would be gone as well. It seemed to work great.

Except for one thing: Because I'm using j2ee sessions, the thought goes that after the last browser is closed, the current session is destroyed. That works as expected. The problem arises in that unless a cflogout was executed before closing the last browser, it seems like the authentication credentials survive.

The next time the user opens the application, the special cflogin structure is not detected, so the application throws the login screen (as expected). But, when the user authenticates, it appears to authenticate the user without executing any code inside the cflogin block. Very strange.

9 comments:

  1. Hi Mike
    Have exactly the same issue. I have the cflogin context in my Application.cfc with loginstorage set to session.

    If a user closes their browser without logging out (which would call cflogout), when they establish a new session they are thrown to the login page. After entering username and password, they are logged in again but it totally bypasses the cflogin context. Hence any other session variables I set within the cflogin tags are not established.

    If you turn on debugging, after the login is established, you will see the cfauthorization variable under session variables.

    I have attached my Application.cfc for you below (without tags enclosed becuase of the limitations of this blog). The authenticateUser method of the cmsSecurity component validates the login credentials and returns an array of user parameters (including names, roles etc)

    If you have found a workaround to this issue since your post, please let me know.

    John Uebel

    Application.cfc
    cfcomponent
    cfscript
    this.name = "imraptAdmin";
    this.applicationTimeout = createTimeSpan(1,0,0,0);
    this.clientmanagement= "no";
    this.loginstorage = "session" ;
    this.sessionmanagement = "yes";
    this.sessiontimeout = createTimeSpan(0,0,15,0);
    this.setClientCookies = "no";
    this.setDomainCookies = "no";
    this.scriptProtect = "all";
    /cfscript

    cffunction name="onRequestStart"
    cfargument name="requestname" required=true
    cfscript
    request.dsn = "RaptDEV";
    request.webroot = "/imraptAdmin";
    /cfscript
    cfif isdefined("url.logout")
    cflogout
    /cfif
    cflogin idletimeout="900"
    cfif not IsDefined("cflogin")
    cfinclude template="#request.webroot#/login/admin.cfm" />
    cfabort
    cfelse
    cfscript
    auth=createobject("component","cmsSecurity");
    userdetail=auth.authenticateUser(username=cflogin.name,password=cflogin.password);
    /cfscript
    cfif not arrayisempty(userdetail)>
    cfloginuser name = "#cflogin.name#" password = "#cflogin.password#" roles="#userdetail[5]#"
    cfelse
    cfset loginmessage="Invalid Username and/or Password. Please re-enter."
    cfinclude template="#request.webroot#/login/admin.cfm"
    cfabort
    /cfif
    /cfif
    /cflogin
    cfinclude template="parameters.cfm"
    /cffunction

    cffunction name="onRequestEnd"
    cfargument name="requestname" required=true
    /cffunction

    cffunction name="onSessionEnd"
    cflogout
    cfset StructClear(session)
    /cffunction
    /cfcomponent

    ReplyDelete
  2. Have observed this issue with version 8?

    Thank you

    Ron Jewell

    ReplyDelete
  3. hmmmm. same problem here...

    ReplyDelete
  4. Same problem... No solution???

    ReplyDelete
  5. I seem to be running into the same problem. I'm running the latest CF 8.0.1. Has anybody found a solution or workaround?

    ReplyDelete
  6. I've also got the same issue with the latest version of CF, this is an existing app that's been in place since 2006, problems started a couple of months ago. If anyone does have a fix please yell!

    ReplyDelete
  7. For those who have this problem, this is the fix that worked for me:

    http://www.petefreitag.com/item/735.cfm

    ReplyDelete
  8. For those that have this problem, this is what worked for me:

    http://www.petefreitag.com/item/735.cfm

    ReplyDelete
  9. I am so grateful that I have found this. I have been tearing my hair out for weeks trying to resolve this. I have put this fix in place and keeping my fingers crossed that all is now well.

    ReplyDelete