• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 327
  • Last Modified:

CFLOCK malfunction. Sessions being shared between Firefox and IE

Hi, I have a member_admin area on my site derived from a tutorial I purchased and altered for use with my DB. This is where members can edit their content such as member profile, service area and logo. The way it works is the member logs into the directory "admin_member" with it's own Application.cfm where, upon login, their memberID becomes session.admin which is passed between the pages in this dir. For developmental purposes I put a cfdump on the index.cfm so that the usernames and passwords from dbo.members (which is still full of test data) would print on the screen so that  I could choose which set I want to login with. As it turns out, the only thing that printed was the last row of the table so I kept using those credentials. All of this was done in my default browser, FireFox. All of the sudden they stopped working but all other credentials worked fine. Then I remembered that I also had an IE browser going with those "default" credentials, good! But, when I refreshed one browser it would come up with the credentials of the other and vice versa. This tells me that my cflock is not working right.
You can try it yourself using joe@electriciansnet.com and joe for the password. Here is the Application.cfm:


<cfapplication
   name = "EnetAdmin"
   applicationtimeout = "#CreateTimeSpan(0,0,30,0)#"
   clientmanagement = "yes"
   sessionmanagement = "yes"
   sessiontimeout="#CreateTimeSpan(0,0,10,0)#"
   setclientcookies = "no"
   >
   <cfset enet="enetdb1sql">
 <!---  <cfparam name="form.username" default="">
   <cfparam name="form.password" default="">--->
<cflock scope="session" throwontimeout="yes" timeout="30" type="exclusive">  
   <cfquery name="session.loginMember" datasource="#enet#">
 SELECT    members.memberID, members.contact_Email, members.PassWord
 FROM dbo.members

<!--- WHERE members.contact_Email = '#form.username#'
 AND members.PassWord = '#form.password#'--->
 </cfquery>
</cflock>
<cfloop query="session.loginMember">
<cfset username="#session.loginMember.Contact_Email#">
<cfset password="#session.loginMember.PassWord#">

<cfif not isdefined ("session.Admin") and Isdefined ("form.UserName") and form.UserName EQ "#username#" and IsDefined ("form.Password") and form.Password EQ "#password#">
<cflock scope="session" throwontimeout="yes" timeout="10" type="exclusive">
<cfset Session.Admin = #session.loginMember.memberID#>
</cflock>
</cfif>
</cfloop>
<cfparam name="session.serverfile" default="">
<cfif not IsDefined ("Session.Admin")>
<!---<cfdump var="#username#"><br />
<cfdump var="#password#">--->

<cfinclude template="includes/login.cfm">
<cfabort>
</cfif>

0
Electriciansnet
Asked:
Electriciansnet
  • 8
  • 6
1 Solution
 
_agx_Commented:
I think there are a number of things wrong with the code sample.  But more importantly, I don't really understand what the code is supposed doing. A basic login usually queries the database for a specific #form.userName# and #form.password#.  If a matching record is found, the code sets a few session variables and moves on.  

No offense but I think you're really messing yourself up by

- putting the query in the session scope
- removing the WHERE clause
- looping through every record in the table
- while mixing local and session variables

... and based on the code above, I'm not at all surprised you're getting strange  results.

Unless you're using an old version of CF, you don't need locking. In MX locking is only required to prevent race conditions and, in most cases, you don't want to use it around a cfquery. Also, unless you have a specific reason for doing so, try not to put queries in the session scope. If you're not reusing the query elsewhere putting it in the session scope serves no purpose.
0
 
_agx_Commented:
> supposed doing.

supposed to be doing.
0
 
ElectriciansnetAuthor Commented:
None taken- how do I fix it?
The whole design was ripped off a tutorial on the net. It was titled something like "Simple CF Admin Area within a single directory".  I just added the query. The login works perfectly but I asked for help so I'm willing to take it.

No offense but I think you're really messing yourself up by

- putting the query in the session scope  

Every page in the admin_member directory uses the WHERE = #session.admin# and as far as I know that is the only session scope I'm relying on from within the admin area.

Basically what I'm looking for is a place that the member can pull their data and only theirs for editing and no one else's. The area is of course, off the main area and has never been used by anyone but me since the site has not been promoted yet. Please, tell me exactly what to change.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
_agx_Commented:
Okay. It may have been an old tutorial.  In older versions of CF you had to use cflock on session variables or bad things would happen.  Then MX came along and it wasn't needed anymore (except for race conditions, which are not a factor here).

What version of CF are you using 6, 7 or 8?  




0
 
ElectriciansnetAuthor Commented:
7.2
0
 
_agx_Commented:
Then use an Application.cfc file instead.  This is a simplified example using the code above.  

There are also other options for handling logins, like cflogin.  
http://livedocs.adobe.com/coldfusion/7/htmldocs/00001191.htm

Application.cfc
=========================================
<cfcomponent>
   <!--- these are the application settings --->
   <cfset this.name = "EnetAdmin">
      <cfset this.applicationTimeout = CreateTimeSpan(0,0,30,0)>
      <cfset this.clientmanagement = true>
      <cfset this.sessionmanagement = true>
      <cfset this.sessiontimeout = CreateTimeSpan(0,0,10,0)>
      <cfset this.setClientCookies = false>

   <cffunction name="onRequestStart">
         <cfargument name="targetPage" required="true"/>
      <cfset var checkMember = "" />
      <cfset request.dsn = "enetdb1sql">

        <cfif NOT StructKeyExists(session, "Admin")>
          <!--- if a login form was submitted.. --->
          <cfif StructKeyExists(form, "UserName") AND StructKeyExists(form, "Password")>
              <!--- verify the supplied username and password --->
               <cfquery name="checkMember" datasource="#request.dsn#">
                SELECT    members.memberID
                 FROM    dbo.members
                 <!--- note, should use cfqueryparam for form variables --->
                WHERE    members.contact_Email = '#form.username#'
                 AND    members.PassWord = '#form.password#'
            </cfquery>
              <!--- user was validated, set the session variable --->
              <cfif checkMember.recordCount eq 1>
                  <cfset Session.Admin = checkMember.memberId />
              </cfif>    
          </cfif>
      </cfif>
       <!--- otherwise, the user was not validated or has not --->
      <!--- logged in, so display the login screen --->
       <cfif NOT StructKeyExists(session, "Admin")>
         <cfinclude template="includes/login.cfm">
         <cfabort>
       </cfif>
   </cffunction>
</cfcomponent>  
0
 
ElectriciansnetAuthor Commented:
It seems to work good. Thanks You! I just had to go through and change #enet# to #request.dsn# and I know I should probably do the same for the main site because I know its considered "Good Coding Practices". Also, when making that change I found this query on index.cfm and login.cfm:

<cfset form.compName = ""><a href="grid2.cfm">Admin Grid Form</a>
<cfset form.memID = "">
<cfdump var="#session.admin#">--->
<!---<cfset admin = session.admin>
<cfquery name="getMemberData" datasource="#request.dsn#">
   SELECT  members.memberID, members.companyName, members.streetNumber, members.City, members.State, members.Contact_First, members.Contact_Last, members.Contact_title, members.Contact_Phone, members.Contact_Email, members.PassWord, members.Contact_URL, members.License, members.CellNumber, members.Slogan, members.member_Since, networkID.networkID, networkID.networkMethod                            
            FROM             members
                        INNER JOIN networkID ON members.networkID = networkID.networkID
            WHERE          members.memberID = #admin#
                  
</cfquery>

I should have known better and have no idea why I put it there but I bet it helped screw everything up.
Thanks again, Andy
0
 
_agx_Commented:
Glad to help.
0
 
ElectriciansnetAuthor Commented:
Thanks again but I do have one last question: My error logs are piling up from not having the proper switches in place. Is there an ultra generic cfif tag that will prevent a page frome being processed unless it is called? <cfif isDefined("form.submit")> ?? But what about the pages that run code that are not form action pages?
0
 
_agx_Commented:
You shouldn't be getting errors.  What is the error message in your log files?

> Is there an ultra generic cfif tag that will prevent a page frome being processed unless it is called?
> <cfif isDefined("form.submit")> ??

I'm not sure what you mean.
0
 
ElectriciansnetAuthor Commented:
I won't trouble you with any more Qs. I was just saying that my error logs are showing that action pages and the pages that feed loadVars for the movie on contact.cfm and my monthly mailer page are trying to process without being called. i.e. page processes with #form.name# but the page has not been submitted by anyone so #form.name# throws error. I had no idea that would happen but  I got those switches(cfif) in place.
However, I'm still getting errors from 30daysmail.cfm and cft3.cfm(movie script page) so I was looking for a cfif tag like: <cfif not cfschedule> and <cfif not called by SwishMax  loadVars> etc... This may be worthy of it's own question. Thanks again, Andy
0
 
_agx_Commented:
Oh, I see what you're saying.  

There are a few ways to do it, but since the problem seems to involve different pages/code than what is posted above, I think its worthy of its own question.  
0
 
_agx_Commented:
Also, a new question is more likely to draw responses from other experts than a closed question.  
0
 
ElectriciansnetAuthor Commented:
Okay agx, thats what I'll do but first I'm going to post a question called "Converting Application.cfm to Application.cfc" where I will post my main Application.cfm. I have tried it twice with LiveDocs and one other example but I got errors, errors, errors. And since you did the admin area's cfc with such ease I thought you may want the points. If not, thats ok too. Thanks again, Andy
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now