CFLogin explained

I am integrating a third party tool into my website. This tools still uses application.cfm and it uses CFLogin. When I initially invoke this tool the user is logged in correctly.  CFLogin resides in the application.cfm so I am assuming that each time a new page is displayed application.cfm is executed. My problem occurs the first time I try to navigate to a new page in the tool. I am getting the error that I am not logged in.  Subsequent times when I try to navigate to a new page everything works fine and I am logged in.

What is the test for CFLogin to determine whether or not the user is logged in?
WestCoast_BCAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WestCoast_BCAuthor Commented:
Can anyone please tell me what CFLogin uses or tests to determine whether or not a user is logged in.

Thank you
WestCoast_BCAuthor Commented:
I am hoping someone can help me with this. I really need to get this solved.

I forgot to mention that I am using Coldfusion 11
LajuanTaylorCommented:
@WestCoast_BC - Here's an example of cflogin found in Adobe's documentation. It's for CF9, but there hasn't been any major changes to how it functions.
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7db9.html

Did you make sure that the Application.cfm is setting session variables properly?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

LajuanTaylorCommented:
@WestCoast_BC  -  Please note that ColdFusion runs the code that’s surrounded by the cflogin tag if a user is not already logged in. It allows you to authenticate the user and identify the user with a set of roles.

The cflogin framework can sometimes be unpredictable, but if you must use it here's some additional info that might be useful:
<cflogin> - Indicates that a page requires users to log in before proceeding.
<cfloginuser> - Once the user has provided a valid login, use this tag to tell ColdFusion the user is logged in.
GetAuthUser() - Once the user has logged in, you can use this tag to retrieve the user's information.
IsUserInRole() - If you want different users to have different rights, you can use this function to determine what the user can access.
<cflogout> - If you want to provide a way for users to log out, use this tag. (Always make sure to clear the user session structure as well)

This code is typically in the Application.cfc onRequestStart method or in the Application.cfm page.

<cflogin> 
    <cfif NOT IsDefined("cflogin")> 
        <cfinclude template="loginform.cfm"> 
        <cfabort> 
    <cfelse> 
        <cfif cflogin.name eq "admin"> 
            <cfset roles = "user,admin"> 
        <cfelse> 
            <cfset roles = "user"> 
        </cfif> 
        <cfloginuser name = "#cflogin.name#" password = "#cflogin.password#" 
            roles = "#roles#"/> 
    </cfif> 
</cflogin>

Open in new window


The login action page would check the user ID and encrypted password against a data source...
<cfquery name="qSecurity" 
    datasource="UserRolesDb"> 
    SELECT Roles FROM SecurityRoles 
    WHERE username=<cfqueryparam value='#cflogin.name#' CFSQLTYPE="CF_SQL_VARCHAR" 
    AND password=<cfqueryparam value='#cflogin.password#' CFSQLTYPE='CF_SQL_VARCHAR' 
</cfquery> 
 
<cfif qSecurity.recordcount gt 0> 
<cfloginuser name = "#cflogin.name#" 
    password = "#cflogin.password#" 
    roles = "#trim(qSecurity.Roles)#" > 
<cfset sessison.securitycheck = "blah,blah,blah">
</cfif>

Open in new window

WestCoast_BCAuthor Commented:
Thank you for all of your help. So, if the login succeeds the first time then the next time it encounters the <cflogin>...</cflogin> code I am assuming then the code is skipped.

I am confused because my code is similar to what you describe. The first time the page is displayed the user is logged in automatically by the software. The second time a page is displayed it doesn't think the user is logged in and an error message is displayed.

I suspect that maybe I am not logging the user in correctly. I will check this.
LajuanTaylorCommented:
@WestCoast_BC - Correct. If your application session management is working correctly, <cflogin> should run once for the user session until the user signs out of the application.

Yes, the Application.cfm or Application.cfc is called with every page request. ColdFusion finds an .Application.cfm or cfc (based on traversing rules). The .cfc version takes precedence.

Typically, a CF Application contains only one Application.cfm or .cfc in the root folder of any given Application.

BTW, is this a public facing web site or internal intranet?
LajuanTaylorCommented:
@WestCoast_BC - The following link is to Adobe's documentation that explains how ColdFusion uses rules to locate and process the Application.cfc, and Application.cfm
http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24-7d6f.html

I've missed settings before in the Application.cfm, .cfc which, caused my login sessions to go haywire... It's always good to double check these settings too.
LajuanTaylorCommented:
@WestCoast_BC - This is just a follow-up. Did any of the information that I provided serve as a solution for your issue?
WestCoast_BCAuthor Commented:
Thank you. I have not yet solved the problem. On my local computer I am running Coldfusion 9 and it works fine. I believe on my ISP when it was also CF9 it worked fine. My ISP recently upgraded to CF11 and now I am having the problem. The code has not changed.

Thank you
LajuanTaylorCommented:
@WestCoast_BC - Try the attached sample of code that leverages cflogin. It's self-contained and consists of four files that I've tested locally using CF10 on Windows 7,  64Bit with IIS.

The sample dumps out the session variables and verifies GetUserRoles() against a fake data set.

Just change file extension back to .cfm

Regards
logout.txt
login.txt
index.txt
Application.txt

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.