In an earlier post, I menionted the Tech Note describing the security risk of using session-based cflogin. The recent Updater fixes this, although for some reason it was not mentioned in the release notes. I got an official confirmation of this a few minutes ago.
Archived Comments
Right, stupid question alert ... but does this definately mean we're ok to use loginStorage=session (well until the next bug that is ;) )
AFAIK, yes.
YAY!! Man, that bug sure was annoying - I thought I was on cheap drugs everytime I logged on as someone else :)
this, coupled with the ability to persist components in the session scope when blackstone is released (which Macromedia publicly said is among the features that is slated for but "may be" in the release at the last London CFUG), means it will finally be possible to easily build a robust AND scalable log in framework.
I could kiss you. I could kiss the MM engineers who fixed the problem and I could kiss you for telling me about it. I had problems with this cflogin caching even before the whole loginstorage = session option and they could never be fixed. I even had problems getting others to understand my issues. I even had Charlie Arehart over at my house and he, while finally understanding me, came up with nothing. Now I can start the healing process. Maybe even set it behind me one day.
Ok, I'm confused. I've installed the 6.1 updater but I still get this problem with cflogin. Help!
There is a new, post CFMX 6.1 Updater bug with CFLOGIN/Session. It is not safe to use.
Is there a bug un the coldfusion 7 cflogin? It seems that it logs in no matter what I type for username and password. Even if the <cfloginuser tag is inside an if statement like this:
<cflogin>
<cfif not IsDefined("cflogin")>
<cfinclude template="../../MyAccount/Login.cfm">
<cfabort>
<cfelse>
<!--- code for cflogin authentication against our db --->
<cfquery name="q_CusExists" datasource="#db#">
SELECT CUS_USER,CUS_PASS
FROM CUSTOMER
WHERE CUS_USER='#cflogin.name#' AND CUS_PASS='#cflogin.password#'
</cfquery>
<cfif q_CusExists.RecordCount NEQ 0>
<cfset session.User=cflogin.name>
<cfset session.Pass=cflogin.password>
<cfloginuser name = "#session.User#" password = "#session.Pass#" roles = "customer" />
</cfif>
</cfif>
</cflogin>
I haven't seen this. I'd add some debug statements. For example, maybe your query is wrong. Also, do not forget that once you login, the code inside the cflogin block isn't run.
I think the problem is that you need an CFELSE statement to go with the cfif q_CusExists.RecordCount NEQ 0 ... put <cfinclude template="../../MyAccount/Login.cfm"> <cfabort> in the CFELSE to catch if the query did NOT find their username/password.
Thank you Rebecca !
I added:
<cfelse>
<cfinclude template="../../MyAccount/Login.cfm">
<cfabort>
And it worked beautifully.
Complete code:
<cfif /**user and pass match in db**/>
<cfloginuser name = "#session.User#" password ="#session.Pass#" roles = "customer" />
<cfelse>
<cfinclude template="../../MyAccount/Login.cfm">
<cfabort>
</cfif>
Now that we’ve moved to CF7 we are reworking our authentication system and taking advantage of application.cfc. We have written a cflogin block into the onRequestStart function but it does not seem to be setting the user. Here is the code block we have boiled it down to for testing.
<cffunction name="onRequestStart" returnType="void" output="false">
<cflogin>
<cfif NOT IsDefined("cflogin")>
<cfloginuser name="reflynn" password="password" roles="none" />
<cflocation url="http://espn.com">
<cfelse>
<cflocation url="http://google.com">
</cfif>
</cflogin>
</cffunction>
Every time we hit the page it redirects to ESPN. It seems that cflogin never "takes". We have tried loginStorage=session and we've tried leaving the default. Everything I read tells me it’s pretty straightforward. We must be doing something very simple incorrectly. Any pointers greatly appreciated.
Bob, I'm thinking you are right. I wouldn't go this route though. Why would you want to send someone to another server based on login?
I am also seeing this bug with coldfusion 7.0.2 and flex remote object :(, it seems that even if i issue a manual logout, the GetAuthUser fucntion still returns the last user.
Any pointers appreciated
Alex
To add more detail, i have found that if i run it like this it kind of works
getauthuser => ''
setremotecredentials to login
getauthuser => 'user'
logout
refresh flex app
getauthuser => 'user'
logout
refresh flex app
getauthuser = ''
So it works only after i refresh the page/issue logout twice?
Is there something i m missing? some weird cookie not setting issue? This is running firefox on windows vista with these settings
sessionManagement=true
sessionTimeout="#createtimespan(0,0,5,0)#"
applicationtTmeout="#createtimespan(0,0,10,0)#" but the same happens with loginStorage="Session"
Sorry for 3 comments in a row, but i think i finally managed to get it working and maybe it will help someone else not waste as much time as i did.
What got it working everytime is that i set the credentials to '' before calling the logout function in the cfc. It seems it kept re logging in even on a page refresh if i ve set the remote credentials at some point. very weird.
RO.setRemoteCredentials('','');
RO.logoutSession.send();
P.S. another weird thing related to cflogin/getauthuser was that I was unable to getauthuser in a file named cfc/user.cfc ...maybe it was jsut my configuration, but i renamed to user2.cfc and everything started magically working.
I hope this will help someone
Alex