Question

ColdFusion Authentication Cache Problem After Browser Closes

Asked by: sphay

I'm having this problem with my browser caching login information, even after the browser is closed and reopened.  I have checked the box to use J2EE sessions ( a setting in CF Admin) so I thought that should take care of the problem, but it has not.  Also, I’ve waited until the session timeout period is over inside the CFAPPLICATION tag (5 minutes) (with all browers closed) and it is still cached. It does loose it when session timeout period is over from CF ADMIN 20 min.  However, I thought the sessiontimeout period in the tag overrides the timeout period in ColdFusion Administrator?   Please help!

Scenario:  I am authenticating users using their Oracle username and password.  I also have a form that allows them to change their password.  I am able to successfullly change my password.  I close my browser.  Then I try to log in and I am able to use my username and BOTH passwords work (original and new).  Where is this being cached?  If you look at my logout code below, you'll see I've tried to delete every session variable.  

Please be kind, I've tried many suggestions and can't get it to work.

ColdFusion MX (using standalone on pc for development right now, will move to CFMX on IIS in a couple months)
Windows 2000
Internet Explorer 6

I have tried to use the CFLOGIN framework but that doesn't work either.  

The four primary pages are listed here.  Note: all code is attached for each page.

1.  application.cfm
2.  loginform.cfm
3.  logincheck.cfm
4.  logout.cfm

application.cfm
_______________________________________________________

<!--- Set application to no-cache allowed --->
<cfheader name="Expires" value="-1">
<cfheader name="Pragma" value="no-cache">
<cfheader name="cache-control" value="no-cache, no-store, must-revalidate">

<!--- Name the application, enable application variables --->
<CFAPPLICATION Name="Main"
      applicationtimeout="#createtimespan(0,0,5,0)#"
      sessiontimeout="#createtimespan(0,0,5,0)#"
      clientmanagement="no"
      sessionmanagement="yes"
      setclientcookies="yes">
      
<cfsetting showDebugOutput="Yes">
<cfset Main_DataSource = "prod" >

<cfif not isdefined("session.auth.isloggedin")>
<cfif isdefined("form.userlogin")>
<cfinclude template="logincheck.cfm">
</cfif>
<cfinclude template="loginform.cfm">
<cfabort>
</cfif>
__________________________________________________
loginform.cfm:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Login Form</title>
</head>

<!--- Place cursor in "User Name" field when page loads --->
<body onLoad="document.UserLoginForm.UserLogin.focus();">
<h1>Login form</h1>
<!--- Start Login Form --->
<cfform action="#CGI.SCRIPT_NAME#" name="UserLoginForm" method="post">
<!--- make the username and password fields required --->
<p>
  <input type="hidden" name="UserLogin_required">
  <input type="hidden" name="UserPassword_required">
 
</p>
<p>Please enter your username and password to access your account. </p>
<table width="600" border="0">
  <tr>
    <td width="328" height="146"><table width="100%" border="0" background="../../gifs/loginbox.gif">
        <tr>
          <td height="142" valign="top"><br>
            <table width="283" border="0">
              <tr>
                <td width="119"><div align="right">User Name</div></td>
                <td width="154"><cfinput
      type="text"
      name="UserLogin"
      value=""
      maxlength="100"
      required="Yes"
      message="Please type your username first"></td>
              </tr>
              <tr>
                <td><div align="right">Password</div></td>
                <td><cfinput
      type="Password"
      name="UserPassword"
      value=""
      maxlength="100"
      required="Yes"
      message="Please type your password"></td>
              </tr>
          </table>
            <div align="center"><br>
                <input type="submit" value="Log In">
            </div></td>
        </tr>
    </table></td>
    <td width="262" valign="top"><br>
      <ul><li>forgot your password?</li>
      <li>new account</li>
      </ul></td></tr>
</table>
<p>&nbsp;</p>
</cfform>
</body>
</html>
________________________________________________
Logincheck.cfm:

<!--- <cfparam name="form.userlogin" type="string">
<cfparam name="form.userpassword" type="string">--->

<cfquery name="GetUser" datasource="#Main_Datasource#" username="#Form.userlogin#" password="#Form.userpassword#">
Select sysdate
From dual
</cfquery>

<!--- If the GetUser query is processed, Oracle username and password are correct --->
<CFIF GetUser.RecordCount EQ 1>

<cfquery name="EnableRoles" datasource="#Main_Datasource#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Set Role All
</cfquery>

<cfquery name="GetUserRoles" datasource="#Main_Datasource#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select Granted_Role
From USER_ROLE_PRIVS
</cfquery>

<!--- Retrieve employee id number that matches to user login name, used to set emp_id session variable below --->
<cfquery name="GetUserID" datasource="#Main_Datasource#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select userid, emp_id, system_id
From employee_accounts
Where system_id = 'ORACLE' AND
userid = '#UCase(FORM.UserLogin)#'
</cfquery>

<!--- Consider the user "logged in" --->
<cflock scope="session" type="Exclusive" timeout="20">
<cfset session.auth = structnew()>
<cfset session.auth.isloggedin = "yes">
<cfset session.auth.userlogin = "#GetUserID.userid#">
<cfset session.auth.userpassword = "#Form.UserPassword#">
<cfset session.auth.emp_id = "#GetUserID.emp_id#">
<cfset session.auth.roles = "#ValueList(GetUserRoles.Granted_Role)#">
<cfset session.auth.cfid = "#Cookie.CFID#">
<cfset session.auth.cftoken = "#Cookie.CFTOKEN#">
</cflock>

<cflocation url="#cgi.SCRIPT_NAME#">

</cfif>
_________________________________________________
Logout.cfm:

<!--- Disable roles for current session only--->

<cfquery name="DisableRoles" datasource="#Main_Datasource#" username="#Session.auth.UserLogin#" password="#Session.auth.UserPassword#">
Set Role None
</cfquery>

<cflogout>
<cfif IsDefined("COOKIE.CFAUTHORIZATION_Main")>
<CFCOOKIE name="CFAUTHORIZATION_Main" EXPIRES="NOW">
</cfif>
<cfif IsDefined("COOKIE.CFID")>
<CFCOOKIE name="CFID" EXPIRES="NOW">
</cfif>
<cfif IsDefined("COOKIE.CFTOKEN")>
<CFCOOKIE name="CFTOKEN" EXPIRES="NOW">
</cfif>

<cfset session.auth.UserLogin = "">
<cfset session.auth.UserPassword = "">

<!--- Terminate the user's session by deleting all session variables --->

<cflock timeout=20 scope="Session" type="Exclusive">
      <CFSCRIPT>StructClear(Session.Auth);</CFSCRIPT>
      <cfset StructDelete(session.auth, "isloggedin")>
      <cfset StructDelete(session.auth, "CFID")>
      <cfset StructDelete(session.auth, "CFTOKEN")>
      <cfset StructDelete(session.auth, "UserLogin")>
      <cfset StructDelete(session.auth, "UserPassword")>
      <cfset StructDelete(session.auth, "emp_id")>
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
</cflock>

<CFAPPLICATION Name="AIS_Main"
      applicationtimeout="#createtimespan(0,0,0,0)#"
      sessiontimeout="#createtimespan(0,0,0,0)#"
      clientmanagement="no"
      sessionmanagement="yes"
      setclientcookies="yes">
      
<cflocation url="/test/index.htm">

___________________________________________________




This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-10-15 at 08:16:50ID21169944
Tags

coldfusion

Topics

ColdFusion Application Server

,

ColdFusion Studio

Participating Experts
3
Points
0
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. nesting <cfif> and <cfset>
    This Code won't work...why? I've tried different combinations of nesting <cfif> and <cfelseif> and it either skips to the last if statement and executes that (whether it is true or not) or if I use <cfelseif> it stops on the second <cfelseif> statement...
  2. <CFScript> Vs <CFSet> and <CFIF>
    Is <CFScript> faster than <CFSet> and <CFIF> Example <CFScript> if(1=1){ foo=true; } </CFScript> vs <cfif 1 is 1> <cfset foo=true/> </cfif> Which one is better proformace wise???????
  3. CFLOGIN persists after browser closed using J2EE sessio…
    Here is my code... <cflogin idletimeout="1800"> <!--- If user isn't logged in redirect them to the login template. ---> <cfif not isDefined("cflogin")> <!--- Don't try login if coming from... ---> <cfif not isDef...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: pinaldavePosted on 2004-10-15 at 13:37:35ID: 12323510

Hi sphay,

    Try this this is from my application.cfc and it will help you. As this is working sucessufully.

        <cfset StructClear(application)>
        <cfset StructDelete(application, "yoursession")>
        <cfset StructClear(session)>
        <cfset session.cfid = cfid>
        <cfset session.cftoken = cftoken>
        <cfset session.urltoken = "cfid=#session.cfid#&cftoken=#session.cftoken#">
   


Regards,
---Pinal

 

by: sphayPosted on 2004-10-18 at 12:41:20ID: 12341412

Pinal,

The .cfc is new to me - Will I need to create alot more than what you're showing here?  So, my application.cfm isn't going to work the way I have it now?

sphay

 

by: pinaldavePosted on 2004-10-18 at 12:48:12ID: 12341468

Please ignore the word CFC that has nothing to do with this.
I am sorry if i am ambigous.
Just use ths structclear and  structdelete like I did they should work that is what I mean.

 

by: sphayPosted on 2004-10-18 at 13:06:02ID: 12341629

Can you suggest where to specifically put the structclear and  structdelete?  If you look at the bottom of the first message, under the logout.cfm code, you can see that I've tried to clear and delete all structures.  Still doesn't seem to work.  I thought that was the place to put it.

 

by: hartPosted on 2004-10-19 at 00:19:00ID: 12345164

you able to use both the passwords indicates that its not a session or cookie deletion hassle.

Now in some projects where people use LDAP for authentication, the change of password gets updated only after 40 min or so..
Till then both new and old can be used...

Now i don't know if there are any issues like that in oracle... As from ur code i can see that u r creating oracle db users rather than creating users in a table....

Regards
Hart


 

by: sphayPosted on 2004-10-19 at 12:40:46ID: 12351199

I don't believe this is the case with Oracle.  Immediately following the password change, I test with SQLPlus and am only allowed to use the "new" password.  I've been working on this all day and caching is still a problem.

 

by: pinaldavePosted on 2004-11-03 at 20:45:58ID: 12490097

Please put this in application.CFM

        <cfset StructClear(application)>
        <cfset StructClear(session)>

This should do the job.
       

 

by: sphayPosted on 2004-11-04 at 05:11:44ID: 12493115

I've actually found the solution to this, thanks to http://www.orafusion.com.  In case anyone else comes across this problem, it happened to be caused by a setting in the ColdFusion Administrator.  Uncheck the 'Maintain Connections' box.

 

by: ee_ai_constructPosted on 2004-11-08 at 12:51:39ID: 12527334

Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...