I ran into an interesting little issue last night when I was writing my blog entry on the Server Monitoring API. For some reason my ability to add blog posts stopped working. I thought something crazy was going on until I noticed something. My username had switched from the username I used to logon to BlogCFC to the username "admin". Why?
Remember this code from my demo:
<cfinvoke component="cfide.adminapi.administrator" method="login" adminPassword="mypasswordcanbeatupyourpassword">
From what I can tell, this code actually uses CFLOGON. Since my ColdFusion Administrator doesn't have a username, just a password, it used "admin" for the username. So when I was reloading both my blog and my demo, my getAuthUser() was switching back and forth.
If I read this right (and I could be wrong), it means that you cannot use the Admin API from within the context of an Application that is using CFLOGON. Frankly this might be the last nail in the coffin for me and CFLOGON. I'm going to file a bug report on this but I wanted to give folks a warning as it certainly worried me.
Archived Comments
Ray,
I'm pretty new to CF about 16 months now and i suppose this is not directly related to you post but you say you might abandon the use of CF login. That's all i use to secure my applications at the moment what other technique would you in it place and why other than the reason you have stated about admin API issue.
Simon
Ah, heh, well, it is an old beef. Not that the feature is bad or anything, but I've found that in _my_ development, I have problems with it. A lot of my problems were fixed in CF8:
http://www.coldfusionjedi.c...
But my primary complaint, and I think I talk about it in the blog entry - is the lack of being able to separate a login session from the web server and from my CF app. Let me know if that doesn't make sense.
I found a weird problem with cflogin and session ending. it seems your session can be cleared out but coldfusion still considers you logged in and you have to explicitly cflogout to get rid of it... that had me going for a while. I'm looking forward to improvements in cf8... it's a lot of work to build a security system from scratch.
Michael, did you remember to use loginStorage="session"? If you forgot, than your logon 'scope' isn't the same as your session.
I must have missed that in the manual, or it wasn't in the examples or some other lame excuse...
Sorry to drag up a dead horse,
but was this issue ever addressed? I'm having the same problem in CF 10.
createObject("component","cfide.adminapi.administrator").login overwrites my getauthuser().
I don't think it ever was. I wish I had a bug # for ya. I know I logged it.