We help IT Professionals succeed at work.

CFLOCK malfunction. Sessions being shared between Firefox and IE

348 Views
Last Modified: 2013-12-24
Hi, I have a member_admin area on my site derived from a tutorial I purchased and altered for use with my DB. This is where members can edit their content such as member profile, service area and logo. The way it works is the member logs into the directory "admin_member" with it's own Application.cfm where, upon login, their memberID becomes session.admin which is passed between the pages in this dir. For developmental purposes I put a cfdump on the index.cfm so that the usernames and passwords from dbo.members (which is still full of test data) would print on the screen so that  I could choose which set I want to login with. As it turns out, the only thing that printed was the last row of the table so I kept using those credentials. All of this was done in my default browser, FireFox. All of the sudden they stopped working but all other credentials worked fine. Then I remembered that I also had an IE browser going with those "default" credentials, good! But, when I refreshed one browser it would come up with the credentials of the other and vice versa. This tells me that my cflock is not working right.
You can try it yourself using joe@electriciansnet.com and joe for the password. Here is the Application.cfm:


<cfapplication
   name = "EnetAdmin"
   applicationtimeout = "#CreateTimeSpan(0,0,30,0)#"
   clientmanagement = "yes"
   sessionmanagement = "yes"
   sessiontimeout="#CreateTimeSpan(0,0,10,0)#"
   setclientcookies = "no"
   >
   <cfset enet="enetdb1sql">
 <!---  <cfparam name="form.username" default="">
   <cfparam name="form.password" default="">--->
<cflock scope="session" throwontimeout="yes" timeout="30" type="exclusive">  
   <cfquery name="session.loginMember" datasource="#enet#">
 SELECT    members.memberID, members.contact_Email, members.PassWord
 FROM dbo.members

<!--- WHERE members.contact_Email = '#form.username#'
 AND members.PassWord = '#form.password#'--->
 </cfquery>
</cflock>
<cfloop query="session.loginMember">
<cfset username="#session.loginMember.Contact_Email#">
<cfset password="#session.loginMember.PassWord#">

<cfif not isdefined ("session.Admin") and Isdefined ("form.UserName") and form.UserName EQ "#username#" and IsDefined ("form.Password") and form.Password EQ "#password#">
<cflock scope="session" throwontimeout="yes" timeout="10" type="exclusive">
<cfset Session.Admin = #session.loginMember.memberID#>
</cflock>
</cfif>
</cfloop>
<cfparam name="session.serverfile" default="">
<cfif not IsDefined ("Session.Admin")>
<!---<cfdump var="#username#"><br />
<cfdump var="#password#">--->

<cfinclude template="includes/login.cfm">
<cfabort>
</cfif>

Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
I think there are a number of things wrong with the code sample.  But more importantly, I don't really understand what the code is supposed doing. A basic login usually queries the database for a specific #form.userName# and #form.password#.  If a matching record is found, the code sets a few session variables and moves on.  

No offense but I think you're really messing yourself up by

- putting the query in the session scope
- removing the WHERE clause
- looping through every record in the table
- while mixing local and session variables

... and based on the code above, I'm not at all surprised you're getting strange  results.

Unless you're using an old version of CF, you don't need locking. In MX locking is only required to prevent race conditions and, in most cases, you don't want to use it around a cfquery. Also, unless you have a specific reason for doing so, try not to put queries in the session scope. If you're not reusing the query elsewhere putting it in the session scope serves no purpose.
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
> supposed doing.

supposed to be doing.

Author

Commented:
None taken- how do I fix it?
The whole design was ripped off a tutorial on the net. It was titled something like "Simple CF Admin Area within a single directory".  I just added the query. The login works perfectly but I asked for help so I'm willing to take it.

No offense but I think you're really messing yourself up by

- putting the query in the session scope  

Every page in the admin_member directory uses the WHERE = #session.admin# and as far as I know that is the only session scope I'm relying on from within the admin area.

Basically what I'm looking for is a place that the member can pull their data and only theirs for editing and no one else's. The area is of course, off the main area and has never been used by anyone but me since the site has not been promoted yet. Please, tell me exactly what to change.
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Okay. It may have been an old tutorial.  In older versions of CF you had to use cflock on session variables or bad things would happen.  Then MX came along and it wasn't needed anymore (except for race conditions, which are not a factor here).

What version of CF are you using 6, 7 or 8?  




Author

Commented:
7.2
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
It seems to work good. Thanks You! I just had to go through and change #enet# to #request.dsn# and I know I should probably do the same for the main site because I know its considered "Good Coding Practices". Also, when making that change I found this query on index.cfm and login.cfm:

<cfset form.compName = ""><a href="grid2.cfm">Admin Grid Form</a>
<cfset form.memID = "">
<cfdump var="#session.admin#">--->
<!---<cfset admin = session.admin>
<cfquery name="getMemberData" datasource="#request.dsn#">
   SELECT  members.memberID, members.companyName, members.streetNumber, members.City, members.State, members.Contact_First, members.Contact_Last, members.Contact_title, members.Contact_Phone, members.Contact_Email, members.PassWord, members.Contact_URL, members.License, members.CellNumber, members.Slogan, members.member_Since, networkID.networkID, networkID.networkMethod                            
            FROM             members
                        INNER JOIN networkID ON members.networkID = networkID.networkID
            WHERE          members.memberID = #admin#
                  
</cfquery>

I should have known better and have no idea why I put it there but I bet it helped screw everything up.
Thanks again, Andy
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Glad to help.

Author

Commented:
Thanks again but I do have one last question: My error logs are piling up from not having the proper switches in place. Is there an ultra generic cfif tag that will prevent a page frome being processed unless it is called? <cfif isDefined("form.submit")> ?? But what about the pages that run code that are not form action pages?
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
You shouldn't be getting errors.  What is the error message in your log files?

> Is there an ultra generic cfif tag that will prevent a page frome being processed unless it is called?
> <cfif isDefined("form.submit")> ??

I'm not sure what you mean.

Author

Commented:
I won't trouble you with any more Qs. I was just saying that my error logs are showing that action pages and the pages that feed loadVars for the movie on contact.cfm and my monthly mailer page are trying to process without being called. i.e. page processes with #form.name# but the page has not been submitted by anyone so #form.name# throws error. I had no idea that would happen but  I got those switches(cfif) in place.
However, I'm still getting errors from 30daysmail.cfm and cft3.cfm(movie script page) so I was looking for a cfif tag like: <cfif not cfschedule> and <cfif not called by SwishMax  loadVars> etc... This may be worthy of it's own question. Thanks again, Andy
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Oh, I see what you're saying.  

There are a few ways to do it, but since the problem seems to involve different pages/code than what is posted above, I think its worthy of its own question.  
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Also, a new question is more likely to draw responses from other experts than a closed question.  

Author

Commented:
Okay agx, thats what I'll do but first I'm going to post a question called "Converting Application.cfm to Application.cfc" where I will post my main Application.cfm. I have tried it twice with LiveDocs and one other example but I got errors, errors, errors. And since you did the admin area's cfc with such ease I thought you may want the points. If not, thats ok too. Thanks again, Andy
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.