CFLOGIN, How do I love thee...

So this weekend, Bruce Phillips pointed out on my last Flex Homework post that he only needed to run the CFLOGIN tag once in his Flex application. My code was running it for every hit in the onRequestStart method. So this really bugged me because it was my understanding that ColdFusion had to run the CFLOGIN tag during a request to “enable” Roles Based Security. I knew that ColdFusion would skip the stuff inside - but from what I had remembered, CF had to actually encounter the tag to use Roles Based Security for the test.

But when I tested what Bruce had done in his Flex app, it worked as he had said. I was truly perplexed. Then I did a test:

<cfapplication name="goobercflogin" sessionManagement="true">

<cflogin> <cfloginuser name=”ray2” password=”ray” roles=”admin”> </cflogin> <cfoutput>#getAuthUser()#</cfoutput>

<cfif isUserInRole(“admin”)> <p> yes, admin role </p> </cfif> </code>

I ran this - and then ran it again with the cflogin block commented out - and it worked just fine. Bruce was definitely right. But then I tried this:

<cfapplication name="goobercflogin2" sessionManagement="true" loginStorage="session">

<cflogin> <cfloginuser name=”ray2” password=”ray” roles=”admin”> </cflogin>

<cfoutput>#getAuthUser()#</cfoutput>

<cfif isUserInRole(“admin”)> <p> yes, admin role </p> </cfif> </code>

Notice the loginStorage? That tells ColdFusion to use the session scope for the authentication. Now in theory, this should ONLY change the storage method for the authentication information. But when you comment out CFLOGIN, you no longer get a value for getAuthUser and the roles check failed.

I’ll wrap with one final word: Ugh.

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Comments