November 27, 2006 (This post is more than 2 years old.)

CFLOGIN, How do I love thee...

coldfusion

So this weekend, Bruce Phillips pointed out on my last Flex Homework post that he only needed to run the CFLOGIN tag once in his Flex application. My code was running it for every hit in the onRequestStart method.

So this really bugged me because it was my understanding that ColdFusion had to run the CFLOGIN tag during a request to "enable" Roles Based Security. I knew that ColdFusion would skip the stuff inside - but from what I had remembered, CF had to actually encounter the tag to use Roles Based Security for the test.

But when I tested what Bruce had done in his Flex app, it worked as he had said. I was truly perplexed. Then I did a test:


<cfapplication name="goobercflogin" sessionManagement="true">
<cflogin>
<cfloginuser name="ray2" password="ray" roles="admin">
</cflogin>
<cfoutput>#getAuthUser()#</cfoutput>

<cfif isUserInRole("admin")> <p> yes, admin role </p> </cfif>

I ran this - and then ran it again with the cflogin block commented out - and it worked just fine. Bruce was definitely right. But then I tried this:


<cfapplication name="goobercflogin2" sessionManagement="true" loginStorage="session">
<cflogin>
<cfloginuser name="ray2" password="ray" roles="admin">
</cflogin>
<cfoutput>#getAuthUser()#</cfoutput>

<cfif isUserInRole("admin")> <p> yes, admin role </p> </cfif>

Notice the loginStorage? That tells ColdFusion to use the session scope for the authentication. Now in theory, this should ONLY change the storage method for the authentication information. But when you comment out CFLOGIN, you no longer get a value for getAuthUser and the roles check failed.

I'll wrap with one final word: Ugh.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by Mark Fuqua posted on 11/28/2006 at 5:01 AM

How are the roles stored in the first example?

Comment 2 by Joe Rinehart posted on 11/28/2006 at 6:35 AM

Hey Ray,

I've been dealing with this problem in Web Services for a while...the solution I used works well in Flex. I blogged it here:

http://www.firemoss.com/blo...

Comment 3 by Raymond Camden posted on 11/28/2006 at 7:59 AM

Mark - a cookie.

Comment 4 by Meep posted on 11/28/2006 at 8:16 PM

my coworker/boss have all used CF a lot longer than me (since version 2 whereas I started with 6 and slightly the end of 5). They all swear by custom login and security models vs cflogin. Most times they cite previous vulnerabilities and shortcomings of cflogin and the like.

Just curious to everyone heres opinion on the matter since as I said I don't have a long CF background so I feel like its hard to discern things in the environment I'm in.

Comment 5 by Raymond Camden posted on 11/28/2006 at 8:56 PM

Meep, listen to your coworkers. They are exactly right. I still use cflogin in all my apps - I just haven't had a chance to rip them out yet.

Comment 6 by TJ Downes posted on 11/28/2006 at 10:01 PM

I've typically been a fan of cflogin because of it's ease of use. I have been using CF since 2.0 but did not start using CFLOGIN until about a year ago. Once I discovered how easy it was I was enthusiastic.

Unfortunately over the last few months I discovered a couple of things which have changed my mind about CFLOGIN.

First and foremost, CFLOGIN runs on every request. In a high-traffic environment this could cost you significanty.

Secondly, there is a bug in Flash player that prevents file uploads from happening in Firefox (PC and Mac) and Safari when using CFFORM when the format is Flash. Technically this is an issue with Flash, not CFLOGIN. However, by avoiding the use of CFLOGIN altogether, I would not have encountered this issue. Now I am in a position of redesigning my entire security schema for a particular app because the majority of users using my tools are FF or Safari users.

My advice: skip CFLOGIN.

Comment 7 by Sami Hoda posted on 11/29/2006 at 12:43 AM

Ray,

Maybe you and I can tag team on this one as an Enhancement Request/Bug entry for Scorpio. They seem to listen when more than one person complains. What do you think? I'd like to cflogin fixed rather than rip it out of my code as well.

Sami

Comment 8 by James Edmunds posted on 11/29/2006 at 7:28 PM

I fall into the camp of wishing CFLOGIN fixed rather than abandoned -- although this may prove nothing more than that I am lazy.

Comment 9 by Chris posted on 1/31/2008 at 8:30 PM

Not terribly useful. How does cflogin know which table in your db to use for authentication? I can't believe the CF docs leave out this important detail...

Comment 10 by Raymond Camden posted on 1/31/2008 at 8:37 PM

Um, it doesn't. CFLOGIN does not hit a database. CFLOGIN simply helps manage your login status. You may want to authenticate people against LDAP. You may want to authenticate people again values in a text file. Whatever. CFLOGIN leaves that up to you.

Comment 11 by Scott posted on 7/9/2008 at 1:42 AM

I think the loginStorage="session" won't work because from what I understand session variables do not exist in Flex.

Comment 12 by Adam Bellas posted on 1/6/2009 at 8:35 AM

I know CFLOGIN can be a royal pain, however I can't ignore the roles attribute on CFFUNCTION and how nice that wraps up all my API's into a ColdFusion security layer.

We tried inventing a roll-you-own system to handle AJAX security and it's just not as easy and fast as the built in stuff. If you can stomach the CFLOGIN roller-coaster of woe, that is.

Comment 13 by Reinhard Jung posted on 11/18/2009 at 5:26 AM

Thanx for the BlogEntry!

Support this Content!

Archived Comments

Webmentions