Solved

CFLOGIN Cache Problem with User Roles

Posted on 2004-09-30
8
527 Views
Last Modified: 2013-12-24
I've built a login framework using CFLOGIN.  I'm having a problem (as are many people I've seen) where even though the user has logged out <CFLOGOUT>, they're roles seem to be cached the next time even though they're prompted to log back in.  I've been researching this for 3 days and have tried every combination.  Could someone look at my cfapplication tag and logout.cfm code and give me feedback?  I think I'm confident in what is in the CFLOGIN, pretty basic, and I didn't want to take up too much space by entering everything here but if you need more information please let me know.

How do you test what information is cached in HTTP Header?
Is it true that CFLOGOUT only clears what is entered in CFLOGINUSER?  

cfapplication.cfm

<!--- used 2 minutes here for testing purposes only --->

<CFAPPLICATION Name="xxx"
      applicationtimeout="#createtimespan(0,0,2,0)#"
      sessiontimeout="#createtimespan(0,0,2,0)#"
      sessionmanagement="yes"
      clientmanagement="yes"
      setclientcookies="yes"
      Clientstorage="Cookie">

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfset localCFID=Cookie.CFID>
    <cfset localCFTOKEN=Cookie.CFTOKEN>
    <cfcookie name="CFID" value="#localCFID#">
    <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
</cfif>

logout.cfm

<cflock timeout=20 scope="Session" type="Exclusive">
      <cfset structclear(cookie)>
                <cfset session.isloggedin = "no">
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
      <cfset StructDelete(session, "UserLogin")>
      <cfset StructDelete(session, "UserPassword")>
      <cfset StructDelete(session, "emp_id")>
</cflock>

<CFLOGOUT>

<cflocation url="index.cfm">

0
Comment
Question by:sphay
  • 4
  • 4
8 Comments
 
LVL 35

Expert Comment

by:mrichmon
ID: 12195178
One probelm.  Your file should be Application.cfm NOT cfapplication.cfm
0
 

Author Comment

by:sphay
ID: 12198997
thanks, it was a typo here only - just to show cfapplication tag
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 12200776
And then what is the point of this code:

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
    <cfset localCFID=Cookie.CFID>
    <cfset localCFTOKEN=Cookie.CFTOKEN>
    <cfcookie name="CFID" value="#localCFID#">
    <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
</cfif>

Basically if both of the cookies are defined then you go ahead and copy to a local variable and then copy back to the same cookie...

Why not just use the cookies that you know exisst?

Also I do not see anywhere where you are using cflogin

Since that is where the problem is coming from where is that code?
0
 

Author Comment

by:sphay
ID: 12202212

I apologize if it seems as if I haven’t provided enough information, I didn’t want to overload the page with code.  I thought that the cflogin was solid, however everything is now attached below.  1.  application.cfm, 2.  onrequestend.cfm, 3. logout.cfm

I deleted the cfcookie code in application.cfm.  Original idea was a last attempt at trying to delete cookies – if that was the problem behind user’s roles being cached.  

application.cfm:

<!--- DEFINE THE FOLLOWING VARIABLES WHEN SETTING UP THE APPLICATION:--->
<cfsetting showDebugOutput="Yes">
<cfset DataSource = "xxx">

<!--- Name the application, enable application variables --->
<CFAPPLICATION Name="Main"
      applicationtimeout="#createtimespan(0,0,2,0)#"
      sessiontimeout="#createtimespan(0,0,2,0)#"
      sessionmanagement="yes"
      clientmanagement="yes"
      setclientcookies="yes"
      Clientstorage="Cookie">

<cflogin idletimeout="120">

<CFIF NOT (IsDefined("Form.UserLogin") AND IsDefined("Form.UserPassword"))>
<cfinclude template="userloginform.cfm">
      <cflock timeout=20 scope="Session" type="Exclusive">
      <cfset session.isloggedin = "no">
      </cflock>
      <cfabort>
</cfif>

<cfquery name="GetUser" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select sysdate
From dual
</cfquery>

<CFIF GetUser.RecordCount EQ 1>
<cflock scope="session" type="Exclusive" timeout="10">
<cfset session.isloggedin = "yes">
</cflock>

<!--- Enable roles for current user's session Only--->
<cfquery name="EnableRoles" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Set Role All
</cfquery>

<cfquery name="GetUserRoles" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select Granted_Role
From USER_ROLE_PRIVS
</cfquery>

<!--- Retrieve employee id number --->
<cfquery name="GetUserID" datasource="#xxx#" username="#Form.UserLogin#" password="#Form.UserPassword#">
Select userid, emp_id, system_id
From accounts
Where userid = '#UCase(FORM.UserLogin)#'
</cfquery>

<!--- set session variables --->
<cflock scope="session" type="Exclusive" timeout="20">
<cfset session.UserLogin = Form.UserLogin>
<cfset session.UserPassword = Form.UserPassword>
<cfset session.emp_id = GetUserID.emp_id>
<cfset session.roles = ValueList(GetUserRoles.Granted_Role)>
</cflock>

<CFLOGINUSER name="#Session.UserLogin#,#Session.emp_id#" password="#Session.UserPassword#" roles="#Session.roles#">
 
<!--- Otherwise, re-prompt for a valid username and password --->
<CFELSE>
Sorry, the username and/or password is not recognized.  <cfoutput><A HREF="#CGI.SCRIPT_NAME#">Please try again</A></cfoutput>
<cfabort>
</CFIF>
</CFLOGIN>

<!--- end of application.cfm --->

Onrequestend.cfm

<cfoutput>
<cfif #session.isloggedin# IS "yes">
<p>You are currently logged in, <a href="logout.cfm">log out</a></p>
<cfelse>
<p>You are currently logged out, <a href="../index.cfm">log back in</a></p>
</cfif>
</cfoutput>

<!--- end of Onrequestend.cfm --->

Logout.cfm:

<cflock timeout=20 scope="Session" type="Exclusive">
      <cfset StructClear(Cookie)>
      <cfset session.isloggedin = "no">
      <cfset StructDelete(session, "CFID")>
      <cfset StructDelete(session, "CFTOKEN")>
      <cfset StructDelete(session, "URLToken")>
      <cfset StructDelete(session, "SessionID")>
      <cfset StructDelete(session, "UserLogin")>
      <cfset StructDelete(session, "UserPassword")>
      <cfset StructDelete(session, "emp_id")>
</cflock>

<CFLOGOUT>

<cflocation url="../index.cfm">

<!--- end of logout.cfm --->
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 35

Expert Comment

by:mrichmon
ID: 12202865
The cfloginuser needs to be enclosed in cflogin tags.

http://livedocs.macromedia.com/coldfusion/6/CFML_Reference/Tags-pt169.htm


Or since you are writing most of it yourself anyway you may want to manually write the login/logout code

See this tutorial:

http://cfhub.com/examples/secure/
0
 

Author Comment

by:sphay
ID: 12203020
The cfloginuser is enclosed in cflogin tags - the opening tag begins with <cflogin idletimeout="120"> right after cfapplication tag and the closing cflogin tag is right before <!--- end of Onrequestend.cfm --->.

are you suggesting to not go with the <cflogin> security framework?
0
 
LVL 35

Accepted Solution

by:
mrichmon earned 125 total points
ID: 12204163
Well I personally don't use the cflogin framework - I write my own as it is easy to do and you have done most of that already from your code.

BUT it is very hard to find any problems in your code when you are only posting portions of it each time.
0
 

Author Comment

by:sphay
ID: 12221214
thank you for your time.  I avoided cflogin and went with homegrown session-style security, and it seems to be working.  
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now