So this weekend, Bruce Phillips pointed out on my last Flex Homework post that he only needed to run the CFLOGIN tag once in his Flex application. My code was running it for every hit in the onRequestStart method.
So this really bugged me because it was my understanding that ColdFusion had to run the CFLOGIN tag during a request to "enable" Roles Based Security. I knew that ColdFusion would skip the stuff inside - but from what I had remembered, CF had to actually encounter the tag to use Roles Based Security for the test.
But when I tested what Bruce had done in his Flex app, it worked as he had said. I was truly perplexed. Then I did a test:
<cfapplication name="goobercflogin" sessionManagement="true">
<cflogin>
<cfloginuser name="ray2" password="ray" roles="admin">
</cflogin>
<cfoutput>#getAuthUser()#</cfoutput>
<cfif isUserInRole("admin")>
<p>
yes, admin role
</p>
</cfif>
I ran this - and then ran it again with the cflogin block commented out - and it worked just fine. Bruce was definitely right. But then I tried this:
<cfapplication name="goobercflogin2" sessionManagement="true" loginStorage="session">
<cflogin>
<cfloginuser name="ray2" password="ray" roles="admin">
</cflogin>
<cfoutput>#getAuthUser()#</cfoutput>
<cfif isUserInRole("admin")>
<p>
yes, admin role
</p>
</cfif>
Notice the loginStorage? That tells ColdFusion to use the session scope for the authentication. Now in theory, this should ONLY change the storage method for the authentication information. But when you comment out CFLOGIN, you no longer get a value for getAuthUser and the roles check failed.
I'll wrap with one final word: Ugh.
Archived Comments
How are the roles stored in the first example?
Hey Ray,
I've been dealing with this problem in Web Services for a while...the solution I used works well in Flex. I blogged it here:
http://www.firemoss.com/blo...
Mark - a cookie.
my coworker/boss have all used CF a lot longer than me (since version 2 whereas I started with 6 and slightly the end of 5). They all swear by custom login and security models vs cflogin. Most times they cite previous vulnerabilities and shortcomings of cflogin and the like.
Just curious to everyone heres opinion on the matter since as I said I don't have a long CF background so I feel like its hard to discern things in the environment I'm in.
Meep, listen to your coworkers. They are exactly right. I still use cflogin in all my apps - I just haven't had a chance to rip them out yet.
I've typically been a fan of cflogin because of it's ease of use. I have been using CF since 2.0 but did not start using CFLOGIN until about a year ago. Once I discovered how easy it was I was enthusiastic.
Unfortunately over the last few months I discovered a couple of things which have changed my mind about CFLOGIN.
First and foremost, CFLOGIN runs on every request. In a high-traffic environment this could cost you significanty.
Secondly, there is a bug in Flash player that prevents file uploads from happening in Firefox (PC and Mac) and Safari when using CFFORM when the format is Flash. Technically this is an issue with Flash, not CFLOGIN. However, by avoiding the use of CFLOGIN altogether, I would not have encountered this issue. Now I am in a position of redesigning my entire security schema for a particular app because the majority of users using my tools are FF or Safari users.
My advice: skip CFLOGIN.
Ray,
Maybe you and I can tag team on this one as an Enhancement Request/Bug entry for Scorpio. They seem to listen when more than one person complains. What do you think? I'd like to cflogin fixed rather than rip it out of my code as well.
Sami
I fall into the camp of wishing CFLOGIN fixed rather than abandoned -- although this may prove nothing more than that I am lazy.
Not terribly useful. How does cflogin know which table in your db to use for authentication? I can't believe the CF docs leave out this important detail...
Um, it doesn't. CFLOGIN does not hit a database. CFLOGIN simply helps manage your login status. You may want to authenticate people against LDAP. You may want to authenticate people again values in a text file. Whatever. CFLOGIN leaves that up to you.
I think the loginStorage="session" won't work because from what I understand session variables do not exist in Flex.
I know CFLOGIN can be a royal pain, however I can't ignore the roles attribute on CFFUNCTION and how nice that wraps up all my API's into a ColdFusion security layer.
We tried inventing a roll-you-own system to handle AJAX security and it's just not as easy and fast as the built in stuff. If you can stomach the CFLOGIN roller-coaster of woe, that is.
Thanx for the BlogEntry!