Solved

CFLOGIN Cache Problem with User Roles

Posted on 2004-09-30
8
536 Views
Last Modified: 2013-12-24
I've built a login framework using CFLOGIN.  I'm having a problem (as are many people I've seen) where even though the user has logged out <CFLOGOUT>, they're roles seem to be cached the next time even though they're prompted to log back in.  I've been researching this for 3 days and have tried every combination.  Could someone look at my cfapplication tag and logout.cfm code and give me feedback?  I think I'm confident in what is in the CFLOGIN, pretty basic, and I didn't want to take up too much space by entering everything here but if you need more information please let me know.

How do you test what information is cached in HTTP Header?
Is it true that CFLOGOUT only clears what is entered in CFLOGINUSER?  

cfapplication.cfm

<!--- used 2 minutes here for testing purposes only --->

<CFAPPLICATION Name="xxx"
      applicationtimeout="#createtimespan(0,0,2,0)#"
      sessiontimeout="#createtimespan(0,0,2,0)#"
      sessionmanagement="yes"
      clientmanagement="yes"
      setclientcookies="yes"
      Clientstorage="Cookie">

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfset localCFID=Cookie.CFID>
    <cfset localCFTOKEN=Cookie.CFTOKEN>
    <cfcookie name="CFID" value="#localCFID#">
    <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
</cfif>

logout.cfm

<cflock timeout=20 scope="Session" type="Exclusive">
      <cfset structclear(cookie)>
                <cfset session.isloggedin = "no">
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
      <cfset StructDelete(session, "UserLogin")>
      <cfset StructDelete(session, "UserPassword")>
      <cfset StructDelete(session, "emp_id")>
</cflock>

<CFLOGOUT>

<cflocation url="index.cfm">

0
Comment
Question by:sphay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 35

Expert Comment

by:mrichmon
ID: 12195178
One probelm.  Your file should be Application.cfm NOT cfapplication.cfm
0
 

Author Comment

by:sphay
ID: 12198997
thanks, it was a typo here only - just to show cfapplication tag
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 12200776
And then what is the point of this code:

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfset localCFID=Cookie.CFID>
    <cfset localCFTOKEN=Cookie.CFTOKEN>
    <cfcookie name="CFID" value="#localCFID#">
    <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
</cfif>

Basically if both of the cookies are defined then you go ahead and copy to a local variable and then copy back to the same cookie...

Why not just use the cookies that you know exisst?

Also I do not see anywhere where you are using cflogin

Since that is where the problem is coming from where is that code?
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 

Author Comment

by:sphay
ID: 12202212

I apologize if it seems as if I haven’t provided enough information, I didn’t want to overload the page with code.  I thought that the cflogin was solid, however everything is now attached below.  1.  application.cfm, 2.  onrequestend.cfm, 3. logout.cfm

I deleted the cfcookie code in application.cfm.  Original idea was a last attempt at trying to delete cookies – if that was the problem behind user’s roles being cached.  

application.cfm:

<!--- DEFINE THE FOLLOWING VARIABLES WHEN SETTING UP THE APPLICATION:--->
<cfsetting showDebugOutput="Yes">
<cfset DataSource = "xxx">

<!--- Name the application, enable application variables --->
<CFAPPLICATION Name="Main"
      applicationtimeout="#createtimespan(0,0,2,0)#"
      sessiontimeout="#createtimespan(0,0,2,0)#"
      sessionmanagement="yes"
      clientmanagement="yes"
      setclientcookies="yes"
      Clientstorage="Cookie">

<cflogin idletimeout="120">

<CFIF NOT (IsDefined("Form.UserLogin") AND IsDefined("Form.UserPassword"))>
<cfinclude template="userloginform.cfm">
      <cflock timeout=20 scope="Session" type="Exclusive">
      <cfset session.isloggedin = "no">
      </cflock>
      <cfabort>
</cfif>

<cfquery name="GetUser" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select sysdate
From dual
</cfquery>

<CFIF GetUser.RecordCount EQ 1>
<cflock scope="session" type="Exclusive" timeout="10">
<cfset session.isloggedin = "yes">
</cflock>

<!--- Enable roles for current user's session Only--->
<cfquery name="EnableRoles" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Set Role All
</cfquery>

<cfquery name="GetUserRoles" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select Granted_Role
From USER_ROLE_PRIVS
</cfquery>

<!--- Retrieve employee id number --->
<cfquery name="GetUserID" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select userid, emp_id, system_id
From accounts
Where userid = '#UCase(FORM.UserLogin)#'
</cfquery>

<!--- set session variables --->
<cflock scope="session" type="Exclusive" timeout="20">
<cfset session.UserLogin = Form.UserLogin>
<cfset session.UserPassword = Form.UserPassword>
<cfset session.emp_id = GetUserID.emp_id>
<cfset session.roles = ValueList(GetUserRoles.Granted_Role)>
</cflock>

<CFLOGINUSER name="#Session.UserLogin#,#Session.emp_id#" password="#Session.UserPassword#" roles="#Session.roles#">
 
<!--- Otherwise, re-prompt for a valid username and password --->
<CFELSE>
Sorry, the username and/or password is not recognized.  <cfoutput><A HREF="#CGI.SCRIPT_NAME#">Please try again</A></cfoutput>
<cfabort>
</CFIF>
</CFLOGIN>

<!--- end of application.cfm --->

Onrequestend.cfm

<cfoutput>
<cfif #session.isloggedin# IS "yes">
<p>You are currently logged in, <a href="logout.cfm">log out</a></p>
<cfelse>
<p>You are currently logged out, <a href="../index.cfm">log back in</a></p>
</cfif>
</cfoutput>

<!--- end of Onrequestend.cfm --->

Logout.cfm:

<cflock timeout=20 scope="Session" type="Exclusive">
      <cfset StructClear(Cookie)>
      <cfset session.isloggedin = "no">
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
      <cfset StructDelete(session, "UserLogin")>
      <cfset StructDelete(session, "UserPassword")>
      <cfset StructDelete(session, "emp_id")>
</cflock>

<CFLOGOUT>

<cflocation url="../index.cfm">

<!--- end of logout.cfm --->
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 12202865
The cfloginuser needs to be enclosed in cflogin tags.

http://livedocs.macromedia.com/coldfusion/6/CFML_Reference/Tags-pt169.htm


Or since you are writing most of it yourself anyway you may want to manually write the login/logout code

See this tutorial:

http://cfhub.com/examples/secure/
0
 

Author Comment

by:sphay
ID: 12203020
The cfloginuser is enclosed in cflogin tags - the opening tag begins with <cflogin idletimeout="120"> right after cfapplication tag and the closing cflogin tag is right before <!--- end of Onrequestend.cfm --->.

are you suggesting to not go with the <cflogin> security framework?
0
 
LVL 35

Accepted Solution

by:
mrichmon earned 125 total points
ID: 12204163
Well I personally don't use the cflogin framework - I write my own as it is easy to do and you have done most of that already from your code.

BUT it is very hard to find any problems in your code when you are only posting portions of it each time.
0
 

Author Comment

by:sphay
ID: 12221214
thank you for your time.  I avoided cflogin and went with homegrown session-style security, and it seems to be working.  
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question