sphay
asked on
ColdFusion Authentication Cache Problem After Browser Closes
I'm having this problem with my browser caching login information, even after the browser is closed and reopened. I have checked the box to use J2EE sessions ( a setting in CF Admin) so I thought that should take care of the problem, but it has not. Also, I’ve waited until the session timeout period is over inside the CFAPPLICATION tag (5 minutes) (with all browers closed) and it is still cached. It does loose it when session timeout period is over from CF ADMIN 20 min. However, I thought the sessiontimeout period in the tag overrides the timeout period in ColdFusion Administrator? Please help!
Scenario: I am authenticating users using their Oracle username and password. I also have a form that allows them to change their password. I am able to successfullly change my password. I close my browser. Then I try to log in and I am able to use my username and BOTH passwords work (original and new). Where is this being cached? If you look at my logout code below, you'll see I've tried to delete every session variable.
Please be kind, I've tried many suggestions and can't get it to work.
ColdFusion MX (using standalone on pc for development right now, will move to CFMX on IIS in a couple months)
Windows 2000
Internet Explorer 6
I have tried to use the CFLOGIN framework but that doesn't work either.
The four primary pages are listed here. Note: all code is attached for each page.
1. application.cfm
2. loginform.cfm
3. logincheck.cfm
4. logout.cfm
application.cfm
__________________________
<!--- Set application to no-cache allowed --->
<cfheader name="Expires" value="-1">
<cfheader name="Pragma" value="no-cache">
<cfheader name="cache-control" value="no-cache, no-store, must-revalidate">
<!--- Name the application, enable application variables --->
<CFAPPLICATION Name="Main"
applicationtimeout="#creat
sessiontimeout="#createtim
clientmanagement="no"
sessionmanagement="yes"
setclientcookies="yes">
<cfsetting showDebugOutput="Yes">
<cfset Main_DataSource = "prod" >
<cfif not isdefined("session.auth.is
<cfif isdefined("form.userlogin"
<cfinclude template="logincheck.cfm">
</cfif>
<cfinclude template="loginform.cfm">
<cfabort>
</cfif>
__________________________
loginform.cfm:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Login Form</title>
</head>
<!--- Place cursor in "User Name" field when page loads --->
<body onLoad="document.UserLogin
<h1>Login form</h1>
<!--- Start Login Form --->
<cfform action="#CGI.SCRIPT_NAME#"
<!--- make the username and password fields required --->
<p>
<input type="hidden" name="UserLogin_required">
<input type="hidden" name="UserPassword_require
</p>
<p>Please enter your username and password to access your account. </p>
<table width="600" border="0">
<tr>
<td width="328" height="146"><table width="100%" border="0" background="../../gifs/log
<tr>
<td height="142" valign="top"><br>
<table width="283" border="0">
<tr>
<td width="119"><div align="right">User Name</div></td>
<td width="154"><cfinput
type="text"
name="UserLogin"
value=""
maxlength="100"
required="Yes"
message="Please type your username first"></td>
</tr>
<tr>
<td><div align="right">Password</di
<td><cfinput
type="Password"
name="UserPassword"
value=""
maxlength="100"
required="Yes"
message="Please type your password"></td>
</tr>
</table>
<div align="center"><br>
<input type="submit" value="Log In">
</div></td>
</tr>
</table></td>
<td width="262" valign="top"><br>
<ul><li>forgot your password?</li>
<li>new account</li>
</ul></td></tr>
</table>
<p> </p>
</cfform>
</body>
</html>
__________________________
Logincheck.cfm:
<!--- <cfparam name="form.userlogin" type="string">
<cfparam name="form.userpassword" type="string">--->
<cfquery name="GetUser" datasource="#Main_Datasour
Select sysdate
From dual
</cfquery>
<!--- If the GetUser query is processed, Oracle username and password are correct --->
<CFIF GetUser.RecordCount EQ 1>
<cfquery name="EnableRoles" datasource="#Main_Datasour
Set Role All
</cfquery>
<cfquery name="GetUserRoles" datasource="#Main_Datasour
Select Granted_Role
From USER_ROLE_PRIVS
</cfquery>
<!--- Retrieve employee id number that matches to user login name, used to set emp_id session variable below --->
<cfquery name="GetUserID" datasource="#Main_Datasour
Select userid, emp_id, system_id
From employee_accounts
Where system_id = 'ORACLE' AND
userid = '#UCase(FORM.UserLogin)#'
</cfquery>
<!--- Consider the user "logged in" --->
<cflock scope="session" type="Exclusive" timeout="20">
<cfset session.auth = structnew()>
<cfset session.auth.isloggedin = "yes">
<cfset session.auth.userlogin = "#GetUserID.userid#">
<cfset session.auth.userpassword = "#Form.UserPassword#">
<cfset session.auth.emp_id = "#GetUserID.emp_id#">
<cfset session.auth.roles = "#ValueList(GetUserRoles.G
<cfset session.auth.cfid = "#Cookie.CFID#">
<cfset session.auth.cftoken = "#Cookie.CFTOKEN#">
</cflock>
<cflocation url="#cgi.SCRIPT_NAME#">
</cfif>
__________________________
Logout.cfm:
<!--- Disable roles for current session only--->
<cfquery name="DisableRoles" datasource="#Main_Datasour
Set Role None
</cfquery>
<cflogout>
<cfif IsDefined("COOKIE.CFAUTHOR
<CFCOOKIE name="CFAUTHORIZATION_Main
</cfif>
<cfif IsDefined("COOKIE.CFID")>
<CFCOOKIE name="CFID" EXPIRES="NOW">
</cfif>
<cfif IsDefined("COOKIE.CFTOKEN"
<CFCOOKIE name="CFTOKEN" EXPIRES="NOW">
</cfif>
<cfset session.auth.UserLogin = "">
<cfset session.auth.UserPassword = "">
<!--- Terminate the user's session by deleting all session variables --->
<cflock timeout=20 scope="Session" type="Exclusive">
<CFSCRIPT>StructClear(Sess
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session, "CFID")>
<cfset StructDelete(session, "CFTOKEN")>
<cfset StructDelete(session, "URLToken")>
<cfset StructDelete(session, "SessionID")>
</cflock>
<CFAPPLICATION Name="AIS_Main"
applicationtimeout="#creat
sessiontimeout="#createtim
clientmanagement="no"
sessionmanagement="yes"
setclientcookies="yes">
<cflocation url="/test/index.htm">
__________________________
Scenario: I am authenticating users using their Oracle username and password. I also have a form that allows them to change their password. I am able to successfullly change my password. I close my browser. Then I try to log in and I am able to use my username and BOTH passwords work (original and new). Where is this being cached? If you look at my logout code below, you'll see I've tried to delete every session variable.
Please be kind, I've tried many suggestions and can't get it to work.
ColdFusion MX (using standalone on pc for development right now, will move to CFMX on IIS in a couple months)
Windows 2000
Internet Explorer 6
I have tried to use the CFLOGIN framework but that doesn't work either.
The four primary pages are listed here. Note: all code is attached for each page.
1. application.cfm
2. loginform.cfm
3. logincheck.cfm
4. logout.cfm
application.cfm
__________________________
<!--- Set application to no-cache allowed --->
<cfheader name="Expires" value="-1">
<cfheader name="Pragma" value="no-cache">
<cfheader name="cache-control" value="no-cache, no-store, must-revalidate">
<!--- Name the application, enable application variables --->
<CFAPPLICATION Name="Main"
applicationtimeout="#creat
sessiontimeout="#createtim
clientmanagement="no"
sessionmanagement="yes"
setclientcookies="yes">
<cfsetting showDebugOutput="Yes">
<cfset Main_DataSource = "prod" >
<cfif not isdefined("session.auth.is
<cfif isdefined("form.userlogin"
<cfinclude template="logincheck.cfm">
</cfif>
<cfinclude template="loginform.cfm">
<cfabort>
</cfif>
__________________________
loginform.cfm:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Login Form</title>
</head>
<!--- Place cursor in "User Name" field when page loads --->
<body onLoad="document.UserLogin
<h1>Login form</h1>
<!--- Start Login Form --->
<cfform action="#CGI.SCRIPT_NAME#"
<!--- make the username and password fields required --->
<p>
<input type="hidden" name="UserLogin_required">
<input type="hidden" name="UserPassword_require
</p>
<p>Please enter your username and password to access your account. </p>
<table width="600" border="0">
<tr>
<td width="328" height="146"><table width="100%" border="0" background="../../gifs/log
<tr>
<td height="142" valign="top"><br>
<table width="283" border="0">
<tr>
<td width="119"><div align="right">User Name</div></td>
<td width="154"><cfinput
type="text"
name="UserLogin"
value=""
maxlength="100"
required="Yes"
message="Please type your username first"></td>
</tr>
<tr>
<td><div align="right">Password</di
<td><cfinput
type="Password"
name="UserPassword"
value=""
maxlength="100"
required="Yes"
message="Please type your password"></td>
</tr>
</table>
<div align="center"><br>
<input type="submit" value="Log In">
</div></td>
</tr>
</table></td>
<td width="262" valign="top"><br>
<ul><li>forgot your password?</li>
<li>new account</li>
</ul></td></tr>
</table>
<p> </p>
</cfform>
</body>
</html>
__________________________
Logincheck.cfm:
<!--- <cfparam name="form.userlogin" type="string">
<cfparam name="form.userpassword" type="string">--->
<cfquery name="GetUser" datasource="#Main_Datasour
Select sysdate
From dual
</cfquery>
<!--- If the GetUser query is processed, Oracle username and password are correct --->
<CFIF GetUser.RecordCount EQ 1>
<cfquery name="EnableRoles" datasource="#Main_Datasour
Set Role All
</cfquery>
<cfquery name="GetUserRoles" datasource="#Main_Datasour
Select Granted_Role
From USER_ROLE_PRIVS
</cfquery>
<!--- Retrieve employee id number that matches to user login name, used to set emp_id session variable below --->
<cfquery name="GetUserID" datasource="#Main_Datasour
Select userid, emp_id, system_id
From employee_accounts
Where system_id = 'ORACLE' AND
userid = '#UCase(FORM.UserLogin)#'
</cfquery>
<!--- Consider the user "logged in" --->
<cflock scope="session" type="Exclusive" timeout="20">
<cfset session.auth = structnew()>
<cfset session.auth.isloggedin = "yes">
<cfset session.auth.userlogin = "#GetUserID.userid#">
<cfset session.auth.userpassword = "#Form.UserPassword#">
<cfset session.auth.emp_id = "#GetUserID.emp_id#">
<cfset session.auth.roles = "#ValueList(GetUserRoles.G
<cfset session.auth.cfid = "#Cookie.CFID#">
<cfset session.auth.cftoken = "#Cookie.CFTOKEN#">
</cflock>
<cflocation url="#cgi.SCRIPT_NAME#">
</cfif>
__________________________
Logout.cfm:
<!--- Disable roles for current session only--->
<cfquery name="DisableRoles" datasource="#Main_Datasour
Set Role None
</cfquery>
<cflogout>
<cfif IsDefined("COOKIE.CFAUTHOR
<CFCOOKIE name="CFAUTHORIZATION_Main
</cfif>
<cfif IsDefined("COOKIE.CFID")>
<CFCOOKIE name="CFID" EXPIRES="NOW">
</cfif>
<cfif IsDefined("COOKIE.CFTOKEN"
<CFCOOKIE name="CFTOKEN" EXPIRES="NOW">
</cfif>
<cfset session.auth.UserLogin = "">
<cfset session.auth.UserPassword = "">
<!--- Terminate the user's session by deleting all session variables --->
<cflock timeout=20 scope="Session" type="Exclusive">
<CFSCRIPT>StructClear(Sess
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session.auth,
<cfset StructDelete(session, "CFID")>
<cfset StructDelete(session, "CFTOKEN")>
<cfset StructDelete(session, "URLToken")>
<cfset StructDelete(session, "SessionID")>
</cflock>
<CFAPPLICATION Name="AIS_Main"
applicationtimeout="#creat
sessiontimeout="#createtim
clientmanagement="no"
sessionmanagement="yes"
setclientcookies="yes">
<cflocation url="/test/index.htm">
__________________________
ASKER
Pinal,
The .cfc is new to me - Will I need to create alot more than what you're showing here? So, my application.cfm isn't going to work the way I have it now?
sphay
The .cfc is new to me - Will I need to create alot more than what you're showing here? So, my application.cfm isn't going to work the way I have it now?
sphay
Please ignore the word CFC that has nothing to do with this.
I am sorry if i am ambigous.
Just use ths structclear and structdelete like I did they should work that is what I mean.
I am sorry if i am ambigous.
Just use ths structclear and structdelete like I did they should work that is what I mean.
ASKER
Can you suggest where to specifically put the structclear and structdelete? If you look at the bottom of the first message, under the logout.cfm code, you can see that I've tried to clear and delete all structures. Still doesn't seem to work. I thought that was the place to put it.
you able to use both the passwords indicates that its not a session or cookie deletion hassle.
Now in some projects where people use LDAP for authentication, the change of password gets updated only after 40 min or so..
Till then both new and old can be used...
Now i don't know if there are any issues like that in oracle... As from ur code i can see that u r creating oracle db users rather than creating users in a table....
Regards
Hart
Now in some projects where people use LDAP for authentication, the change of password gets updated only after 40 min or so..
Till then both new and old can be used...
Now i don't know if there are any issues like that in oracle... As from ur code i can see that u r creating oracle db users rather than creating users in a table....
Regards
Hart
ASKER
I don't believe this is the case with Oracle. Immediately following the password change, I test with SQLPlus and am only allowed to use the "new" password. I've been working on this all day and caching is still a problem.
Please put this in application.CFM
<cfset StructClear(application)>
<cfset StructClear(session)>
This should do the job.
<cfset StructClear(application)>
<cfset StructClear(session)>
This should do the job.
ASKER
I've actually found the solution to this, thanks to http://www.orafusion.com. In case anyone else comes across this problem, it happened to be caused by a setting in the ColdFusion Administrator. Uncheck the 'Maintain Connections' box.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try this this is from my application.cfc and it will help you. As this is working sucessufully.
<cfset StructClear(application)>
<cfset StructDelete(application, "yoursession")>
<cfset StructClear(session)>
<cfset session.cfid = cfid>
<cfset session.cftoken = cftoken>
<cfset session.urltoken = "cfid=#session.cfid#&cftok
Regards,
---Pinal