Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CFLOGIN Cache Problem with User Roles

Posted on 2004-09-30
8
Medium Priority
?
539 Views
Last Modified: 2013-12-24
I've built a login framework using CFLOGIN.  I'm having a problem (as are many people I've seen) where even though the user has logged out <CFLOGOUT>, they're roles seem to be cached the next time even though they're prompted to log back in.  I've been researching this for 3 days and have tried every combination.  Could someone look at my cfapplication tag and logout.cfm code and give me feedback?  I think I'm confident in what is in the CFLOGIN, pretty basic, and I didn't want to take up too much space by entering everything here but if you need more information please let me know.

How do you test what information is cached in HTTP Header?
Is it true that CFLOGOUT only clears what is entered in CFLOGINUSER?  

cfapplication.cfm

<!--- used 2 minutes here for testing purposes only --->

<CFAPPLICATION Name="xxx"
      applicationtimeout="#createtimespan(0,0,2,0)#"
      sessiontimeout="#createtimespan(0,0,2,0)#"
      sessionmanagement="yes"
      clientmanagement="yes"
      setclientcookies="yes"
      Clientstorage="Cookie">

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfset localCFID=Cookie.CFID>
    <cfset localCFTOKEN=Cookie.CFTOKEN>
    <cfcookie name="CFID" value="#localCFID#">
    <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
</cfif>

logout.cfm

<cflock timeout=20 scope="Session" type="Exclusive">
      <cfset structclear(cookie)>
                <cfset session.isloggedin = "no">
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
      <cfset StructDelete(session, "UserLogin")>
      <cfset StructDelete(session, "UserPassword")>
      <cfset StructDelete(session, "emp_id")>
</cflock>

<CFLOGOUT>

<cflocation url="index.cfm">

0
Comment
Question by:sphay
  • 4
  • 4
8 Comments
 
LVL 35

Expert Comment

by:mrichmon
ID: 12195178
One probelm.  Your file should be Application.cfm NOT cfapplication.cfm
0
 

Author Comment

by:sphay
ID: 12198997
thanks, it was a typo here only - just to show cfapplication tag
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 12200776
And then what is the point of this code:

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfset localCFID=Cookie.CFID>
    <cfset localCFTOKEN=Cookie.CFTOKEN>
    <cfcookie name="CFID" value="#localCFID#">
    <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
</cfif>

Basically if both of the cookies are defined then you go ahead and copy to a local variable and then copy back to the same cookie...

Why not just use the cookies that you know exisst?

Also I do not see anywhere where you are using cflogin

Since that is where the problem is coming from where is that code?
0
Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

 

Author Comment

by:sphay
ID: 12202212

I apologize if it seems as if I haven’t provided enough information, I didn’t want to overload the page with code.  I thought that the cflogin was solid, however everything is now attached below.  1.  application.cfm, 2.  onrequestend.cfm, 3. logout.cfm

I deleted the cfcookie code in application.cfm.  Original idea was a last attempt at trying to delete cookies – if that was the problem behind user’s roles being cached.  

application.cfm:

<!--- DEFINE THE FOLLOWING VARIABLES WHEN SETTING UP THE APPLICATION:--->
<cfsetting showDebugOutput="Yes">
<cfset DataSource = "xxx">

<!--- Name the application, enable application variables --->
<CFAPPLICATION Name="Main"
      applicationtimeout="#createtimespan(0,0,2,0)#"
      sessiontimeout="#createtimespan(0,0,2,0)#"
      sessionmanagement="yes"
      clientmanagement="yes"
      setclientcookies="yes"
      Clientstorage="Cookie">

<cflogin idletimeout="120">

<CFIF NOT (IsDefined("Form.UserLogin") AND IsDefined("Form.UserPassword"))>
<cfinclude template="userloginform.cfm">
      <cflock timeout=20 scope="Session" type="Exclusive">
      <cfset session.isloggedin = "no">
      </cflock>
      <cfabort>
</cfif>

<cfquery name="GetUser" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select sysdate
From dual
</cfquery>

<CFIF GetUser.RecordCount EQ 1>
<cflock scope="session" type="Exclusive" timeout="10">
<cfset session.isloggedin = "yes">
</cflock>

<!--- Enable roles for current user's session Only--->
<cfquery name="EnableRoles" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Set Role All
</cfquery>

<cfquery name="GetUserRoles" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select Granted_Role
From USER_ROLE_PRIVS
</cfquery>

<!--- Retrieve employee id number --->
<cfquery name="GetUserID" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select userid, emp_id, system_id
From accounts
Where userid = '#UCase(FORM.UserLogin)#'
</cfquery>

<!--- set session variables --->
<cflock scope="session" type="Exclusive" timeout="20">
<cfset session.UserLogin = Form.UserLogin>
<cfset session.UserPassword = Form.UserPassword>
<cfset session.emp_id = GetUserID.emp_id>
<cfset session.roles = ValueList(GetUserRoles.Granted_Role)>
</cflock>

<CFLOGINUSER name="#Session.UserLogin#,#Session.emp_id#" password="#Session.UserPassword#" roles="#Session.roles#">
 
<!--- Otherwise, re-prompt for a valid username and password --->
<CFELSE>
Sorry, the username and/or password is not recognized.  <cfoutput><A HREF="#CGI.SCRIPT_NAME#">Please try again</A></cfoutput>
<cfabort>
</CFIF>
</CFLOGIN>

<!--- end of application.cfm --->

Onrequestend.cfm

<cfoutput>
<cfif #session.isloggedin# IS "yes">
<p>You are currently logged in, <a href="logout.cfm">log out</a></p>
<cfelse>
<p>You are currently logged out, <a href="../index.cfm">log back in</a></p>
</cfif>
</cfoutput>

<!--- end of Onrequestend.cfm --->

Logout.cfm:

<cflock timeout=20 scope="Session" type="Exclusive">
      <cfset StructClear(Cookie)>
      <cfset session.isloggedin = "no">
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
      <cfset StructDelete(session, "UserLogin")>
      <cfset StructDelete(session, "UserPassword")>
      <cfset StructDelete(session, "emp_id")>
</cflock>

<CFLOGOUT>

<cflocation url="../index.cfm">

<!--- end of logout.cfm --->
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 12202865
The cfloginuser needs to be enclosed in cflogin tags.

http://livedocs.macromedia.com/coldfusion/6/CFML_Reference/Tags-pt169.htm


Or since you are writing most of it yourself anyway you may want to manually write the login/logout code

See this tutorial:

http://cfhub.com/examples/secure/
0
 

Author Comment

by:sphay
ID: 12203020
The cfloginuser is enclosed in cflogin tags - the opening tag begins with <cflogin idletimeout="120"> right after cfapplication tag and the closing cflogin tag is right before <!--- end of Onrequestend.cfm --->.

are you suggesting to not go with the <cflogin> security framework?
0
 
LVL 35

Accepted Solution

by:
mrichmon earned 250 total points
ID: 12204163
Well I personally don't use the cflogin framework - I write my own as it is easy to do and you have done most of that already from your code.

BUT it is very hard to find any problems in your code when you are only posting portions of it each time.
0
 

Author Comment

by:sphay
ID: 12221214
thank you for your time.  I avoided cflogin and went with homegrown session-style security, and it seems to be working.  
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
A web service (http://en.wikipedia.org/wiki/Web_service) is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Suggested Courses
Course of the Month9 days, 22 hours left to enroll

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question