I blogged about this way back in 04, but I had a client who ran into this yesterday and lost a good few days trying to debug.
Folks who read my blog know that CFLOGON is probably the only thing about ColdFusion that I do not like. I was a huge fan of it, and in fact, all of my applications still use it, but after being burned by it one too many times, I'm hoping to remove the use of it completely over time.
The client that contacted me couldn't understand why their application worked perfectly in testing, but when deployed to a live site, with web server security turned on, the application threw an error. Why did it do this?
ColdFusion's roles based security does not have a way to tell you if you are logged on. (Why?) The typical way of doing it is to check the result of getAuthUser(). If it is blank, you aren't logged in.
However, one of the features of ColdFusion's system is to automatically integrate with web server security. What would happen is that the user would hit the site, logon at the web server level, and getAuthUser() would return that username. Therefore, the site thought he was logged in when he really never did.
I've fixed this myself by simply using a session flag. But then you need to make sure you use the session based version of roles based security (which is not the default). Consider this a warning if you use roles based security.
Archived Comments
I wrote my own authorization because CFLogin amoung other things (as pointed out by Michael D.) only supports checking authorization if all the methods in the list work. So you can't pass things in with mixed and/or logic.
To be fair, that isn't such a big deal. Yes, isUserInRole is a AND check. But it takes 2 seconds to write a isUserInAnyRole UDF, which I've done in the past.
But it just adds to the list of things that you wish were in there already.
Ray, I have always avoided CFLOGIN like the plague - I was never sure if it was becuase I thought is was a terrible way to handle authentication, or because i just didn't understand it (I'm leaning more towards the former, after reading your post :-)
What I would love to see is a <CFSAML> tag - do you know of any CF based SAML solutions?
Cheers,
David
David,
I'm working on a SAML solution right now and would love to hear if you find anything. If I find something, I'll post it.
Phil,
I also sent you an e-mail, but I'll post my thoughts here. I will probably end up coding a SAML solution and post the code to an open source forum so that others can help make it better. I'll keep in touch.
Cheers,
David
Ray, how about a 4 or 7 page 'how to' on creating and using login for a web application. This is a feature most applications end up using and there seems to be no 'best coding' practice on this.
I'd love to have you and Sean give your input on this. I can't think of two other people I would rather learn from. Ben can feel free to add his input too.
I was contemplating just such a thing for a CF 101 type series. However, I need to get the next entry out for the contest for sure.
Ray, I think we could all use a CF(login) 101. And 102 and 201 and 303.
Thanks.
I promise. :) Right now I'm having issues with the second contest entry. I'm working with the author so I can get it running and do a review.
Hi,
I am soooo backing a login tutorial with cf, can't wait to see this.
Also I am searching high and low for a flex cf login tutorial, maybe one here would be cool also :)
cheers simon
Yeah thats a good idea too.
Hey David and Phil -- I'm also looking into implementing a SAML solution in Coldfusion, but I'm still at the research stage when it comes to SAML. I'd be happy to offer whatever I can to help on your SAML solution (as i'll be working on my own here in a few days) or anything you find along the way. Glad to hear I'm not alone in implementing something like this!
David/Adam/Phil, I'd also be interested in SAML for CF. Please post a comment here if any of you find or create a solution. Thanks.
CFlogin - I don't like it, especially over a cluster. For it to work properly it relies on you to write your own code to handle servers going down in a cluster otherwise users will get logged out or lose their roles. With lessons learnt I will write my own login and role management routines next time.
Ray,
Do you need cflock when using getAuthUser() function to check if user is logged in? Thanks.
Nope.
Good to know. I was thinking of saving the value of ListLen(GetAuthUser()) to something like a boolean SESSION.isLoggedIn but I'd have to cflock that session variable which is a hassle. I guess ListLen(GetAuthUser()) is simpler then. Thanks again.
Well getAuthUser returns a username. You probably want to check len(...), not listLen, and CF8 added isLoggedIn() so you can check that. Also - you don't have to lock when you read/write session variables. "Lock everything" was the rule in CF5 and earlier days. Now you only lock when you have to worry about race conditions.
The new IsUserLoggedIn() in CF8 is just what I need.