• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

CFLOGIN Cache Problem with User Roles

I've built a login framework using CFLOGIN.  I'm having a problem (as are many people I've seen) where even though the user has logged out <CFLOGOUT>, they're roles seem to be cached the next time even though they're prompted to log back in.  I've been researching this for 3 days and have tried every combination.  Could someone look at my cfapplication tag and logout.cfm code and give me feedback?  I think I'm confident in what is in the CFLOGIN, pretty basic, and I didn't want to take up too much space by entering everything here but if you need more information please let me know.

How do you test what information is cached in HTTP Header?
Is it true that CFLOGOUT only clears what is entered in CFLOGINUSER?  

cfapplication.cfm

<!--- used 2 minutes here for testing purposes only --->

<CFAPPLICATION Name="xxx"
      applicationtimeout="#createtimespan(0,0,2,0)#"
      sessiontimeout="#createtimespan(0,0,2,0)#"
      sessionmanagement="yes"
      clientmanagement="yes"
      setclientcookies="yes"
      Clientstorage="Cookie">

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfset localCFID=Cookie.CFID>
    <cfset localCFTOKEN=Cookie.CFTOKEN>
    <cfcookie name="CFID" value="#localCFID#">
    <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
</cfif>

logout.cfm

<cflock timeout=20 scope="Session" type="Exclusive">
      <cfset structclear(cookie)>
                <cfset session.isloggedin = "no">
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
      <cfset StructDelete(session, "UserLogin")>
      <cfset StructDelete(session, "UserPassword")>
      <cfset StructDelete(session, "emp_id")>
</cflock>

<CFLOGOUT>

<cflocation url="index.cfm">

0
sphay
Asked:
sphay
  • 4
  • 4
1 Solution
 
mrichmonCommented:
One probelm.  Your file should be Application.cfm NOT cfapplication.cfm
0
 
sphayAuthor Commented:
thanks, it was a typo here only - just to show cfapplication tag
0
 
mrichmonCommented:
And then what is the point of this code:

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfset localCFID=Cookie.CFID>
    <cfset localCFTOKEN=Cookie.CFTOKEN>
    <cfcookie name="CFID" value="#localCFID#">
    <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
</cfif>

Basically if both of the cookies are defined then you go ahead and copy to a local variable and then copy back to the same cookie...

Why not just use the cookies that you know exisst?

Also I do not see anywhere where you are using cflogin

Since that is where the problem is coming from where is that code?
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
sphayAuthor Commented:

I apologize if it seems as if I haven’t provided enough information, I didn’t want to overload the page with code.  I thought that the cflogin was solid, however everything is now attached below.  1.  application.cfm, 2.  onrequestend.cfm, 3. logout.cfm

I deleted the cfcookie code in application.cfm.  Original idea was a last attempt at trying to delete cookies – if that was the problem behind user’s roles being cached.  

application.cfm:

<!--- DEFINE THE FOLLOWING VARIABLES WHEN SETTING UP THE APPLICATION:--->
<cfsetting showDebugOutput="Yes">
<cfset DataSource = "xxx">

<!--- Name the application, enable application variables --->
<CFAPPLICATION Name="Main"
      applicationtimeout="#createtimespan(0,0,2,0)#"
      sessiontimeout="#createtimespan(0,0,2,0)#"
      sessionmanagement="yes"
      clientmanagement="yes"
      setclientcookies="yes"
      Clientstorage="Cookie">

<cflogin idletimeout="120">

<CFIF NOT (IsDefined("Form.UserLogin") AND IsDefined("Form.UserPassword"))>
<cfinclude template="userloginform.cfm">
      <cflock timeout=20 scope="Session" type="Exclusive">
      <cfset session.isloggedin = "no">
      </cflock>
      <cfabort>
</cfif>

<cfquery name="GetUser" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select sysdate
From dual
</cfquery>

<CFIF GetUser.RecordCount EQ 1>
<cflock scope="session" type="Exclusive" timeout="10">
<cfset session.isloggedin = "yes">
</cflock>

<!--- Enable roles for current user's session Only--->
<cfquery name="EnableRoles" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Set Role All
</cfquery>

<cfquery name="GetUserRoles" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select Granted_Role
From USER_ROLE_PRIVS
</cfquery>

<!--- Retrieve employee id number --->
<cfquery name="GetUserID" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select userid, emp_id, system_id
From accounts
Where userid = '#UCase(FORM.UserLogin)#'
</cfquery>

<!--- set session variables --->
<cflock scope="session" type="Exclusive" timeout="20">
<cfset session.UserLogin = Form.UserLogin>
<cfset session.UserPassword = Form.UserPassword>
<cfset session.emp_id = GetUserID.emp_id>
<cfset session.roles = ValueList(GetUserRoles.Granted_Role)>
</cflock>

<CFLOGINUSER name="#Session.UserLogin#,#Session.emp_id#" password="#Session.UserPassword#" roles="#Session.roles#">
 
<!--- Otherwise, re-prompt for a valid username and password --->
<CFELSE>
Sorry, the username and/or password is not recognized.  <cfoutput><A HREF="#CGI.SCRIPT_NAME#">Please try again</A></cfoutput>
<cfabort>
</CFIF>
</CFLOGIN>

<!--- end of application.cfm --->

Onrequestend.cfm

<cfoutput>
<cfif #session.isloggedin# IS "yes">
<p>You are currently logged in, <a href="logout.cfm">log out</a></p>
<cfelse>
<p>You are currently logged out, <a href="../index.cfm">log back in</a></p>
</cfif>
</cfoutput>

<!--- end of Onrequestend.cfm --->

Logout.cfm:

<cflock timeout=20 scope="Session" type="Exclusive">
      <cfset StructClear(Cookie)>
      <cfset session.isloggedin = "no">
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
      <cfset StructDelete(session, "UserLogin")>
      <cfset StructDelete(session, "UserPassword")>
      <cfset StructDelete(session, "emp_id")>
</cflock>

<CFLOGOUT>

<cflocation url="../index.cfm">

<!--- end of logout.cfm --->
0
 
mrichmonCommented:
The cfloginuser needs to be enclosed in cflogin tags.

http://livedocs.macromedia.com/coldfusion/6/CFML_Reference/Tags-pt169.htm


Or since you are writing most of it yourself anyway you may want to manually write the login/logout code

See this tutorial:

http://cfhub.com/examples/secure/
0
 
sphayAuthor Commented:
The cfloginuser is enclosed in cflogin tags - the opening tag begins with <cflogin idletimeout="120"> right after cfapplication tag and the closing cflogin tag is right before <!--- end of Onrequestend.cfm --->.

are you suggesting to not go with the <cflogin> security framework?
0
 
mrichmonCommented:
Well I personally don't use the cflogin framework - I write my own as it is easy to do and you have done most of that already from your code.

BUT it is very hard to find any problems in your code when you are only posting portions of it each time.
0
 
sphayAuthor Commented:
thank you for your time.  I avoided cflogin and went with homegrown session-style security, and it seems to be working.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now