Problem with URL redirection when logging in

I am in the process of creating an authorization system for the site I have created a table in the database that contains roles for users that are created. Some of the roles need to have URLs to redirect to. However, not all roles have these URLs.

The problem I am having is when I login with a browser that has not been to the page before (or if the cookies are deleted relating to ColdFusion) then the page does not redirect, it simply goes back to the page they logged from. Going back to the refer page is part of the script but only if a URL is defined. The thing is, if they logout and log back in the redirect URL from the db does work. The code for the page can be found at .

Thanks in advance!
Who is Participating?
PAQed with points refunded (125)

Community Support Moderator
I think the problem you are encountering is due to a problem that CF has had forever (or at least when I started with it when version 2.0 was released).  You cannot set session variables or cookies on a page then do a CFLOCATION on the same page.  The work around to this is to create a CF_LOCATION tag.  Place the below code in LOCATION.CFM and place in your Custom Tags directory under the CF install directory.  The usage is exactly the same as the CFLOCATION tag, just that you need to call it as CF_LOCATION.  Because of the way that it sets the headers directly to activate the redirect it allows for cookies and such to be set.  Hope it helps!

<!--- --------- BEGIN LOCATION.CFM CODE ------------- --->
<CFPARAM NAME="Attributes.URL" TYPE="string">
<CFPARAM NAME="Attributes.ADDTOKEN" TYPE="boolean" DEFAULT="No">
<CFIF Attributes.ADDTOKEN>
            <CFPARAM NAME="Client.CFID">
            <CFPARAM NAME="Client.CFTOKEN">
            <CFCATCH TYPE="Any">
                  <CFABORT SHOWERROR="You must have <b>CLIENTMANAGEMENT=""Yes""</b> in your CFAPPLICATION tag (usually in Application.cfm) if you choose to specify <b>ADDTOKEN=""Yes""</b> in your CF_LOCATION tag.">
      <CFIF Find("?", Attributes.URL)>
            <CFSET theRest = "&">
            <CFSET theRest = "?">
<CFSET theRest = theRest & "CFID=#Client.CFID#&CFTOKEN=#Client.CFTOKEN#">
      <CFSET theRest = "">
<CFSET theURL = Attributes.URL & theRest>
<CFHEADER STATUSCODE="302" STATUSTEXT="Object Temporarily Moved">
<CFHEADER NAME="location" VALUE="#theURL#">
<!--- --------- END LOCATION.CFM CODE ------------- --->

remmuhAuthor Commented:
I sent the file to my host, so I will let you know if it works!
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

remmuhAuthor Commented:
Ok, I added the file to my custom tags directory. And it still doesn't seem to work. If you decide to try it, be sure you don't have any cookies for or depending on how you access the page.
Did you change your CFLOCATION tags to CF_LOCATION?  To try it, do I need to login?  If so, do you have a username and password I can test with?
remmuhAuthor Commented:
I did change the tags to cf_location. You may login with user: homerun and pass: homerun
Thank you.
I have had similar problems to what you are describing when I have used the <cflogin> tag.  There are some issues that I was never able to overcome with that tag - so I moved to using my own login management by maintaining a "session.isloggedin" variable.

A little more details here:

Let me know if you want me to describle more fully.

Hmmmm... I see what you're talking about.  Very odd indeed!  First time I logged in, I was brought right back to the home page and the only change was that it gave me the welcome message where the login box was.  And like you said, after logging out and logging back in the redirect worked.

If you have this site on a test server where we can change a few things just to see what the results are, I'd say the processing page (that you supplied the code for) comment out all of the CF_LOCATION tags for now, and put in some text that will display to show where the script ends up.  Such as change the bottom CFIF section to be something like:

<cfif isDefined('getRole.url')>
     <!--- <cf_location url="#getRole.url#"> --->
     Get role is defined.
     <!--- <cf_location url="#session.loginRefer#"> --->
     Get role is NOT defined.

Another thing, try and turn on debugging for your IP.  I have a feeling that maybe your getRole query is not returning any records the first time around.  Also, the CFLOGINUSER tag is supposed to be within a CFLOGIN tag, not sure if this would cause any issues, but you never know...  Feel free to have the page display values of other variables just to see the status of them at different points.

Let me know what happens!

remmuhAuthor Commented:
Ok, I made those changes. Btw, CFLOGINUSER was in CFLOGIN. Anyway, weird stuff is happening. It seems to be bypassing the CFLOGIN tagged area altogether if the cookies are not defined. However, in IE on the PC, this does not seem to make a difference, in every other browser, same problem.

I updated the code and you can see these updates here:

Thank you so much for helping.
remmuhAuthor Commented:
Alright, I think I figured out what my problem was, kind of. I wanted to use the cflogin variable scope so that is why I defined my login form as j_username and j_password. But I think, using that scope was what was messing me up, because now, I am using the form name login_user and login_pass and everything seems to work fine. Check it out at, login with homerun and homerun.

Thanks for your help anyway. I think this will suffice. Although, I will be interested to know if anybody does come up with a solution for the cflogin scope. Anyway, thanks!

Looks great!!!  I just noticed that my really long post that I submitted last night right before I left work never went through because my session must have timed out.  I bascially said in the post that maybe you should go with Ben's suggestion above.  But now it seems that you got the CFLOGIN to work after all!  Congrats!  If you do come across more CFLOGIN issues in the future you may think about just using your own session variables to contain all of the needed authentication info.  You can even make it into a custom tag that you can use for various situations.  I'm currently contracting at a law enforcement agency, and since security is a big thing, I created a custom tag that I can pass different attributes to it to make it authenticate against different databases and different tables, or for low security applications it just authenticates against LDAP and allows any agency personnell access to the app.

Anyway, Good work at figuring it out!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.