cflogout Problem

LoginStrorage is an attribute of the cfapplication tag. It can take values "cookie"(the default) or "session", and tells ColdFusion where to store the login information. Could show us any of your login/logout code that involves variables in the application and session scopes?

Phinehas1234 wrote: In application.cfm, the cfapplication tag is: <cfapplication name="testdb"> cflogin tag: <cfloginuser name="#form.userID#" password="#form.password#" roles="#u_role#"> cflogout file: contain <cflogout> I have tried to change the cfapplication tag to: <cfapplication name="testdb" sessionmanagement="yes" setclientcookies="no" sessiontimeout="#createtimespan(0, 10, 0, 0)#"> But the problem still existing. Is there anything I have missing to set? And, is there any configure in ColdFusion Administration Page (since I do not have access right on it, I have no idea on the configure in admin page)?

What you have done so far seems to be all right. However, here are some suggestions:

- Ensure the file name is Application.cfm

- The default value of loginStorage is "cookie". That is its implicit value when you omit the attribute. By omitting the attribute, you are therefore instructing ColdFusion to store the login information in a cookie. However, your current setting setclientcookies="no" instructs ColdFusion not to send any cookies to the client!

Try this instead: <cfapplication name="testdb" sessionmanagement="yes" setclientcookies="yes" loginStorage="session" sessiontimeout="#createtimespan(0, 10, 0, 0)#">

- You don't necessarily need access to the Administrator. Create a page called test.cfm, say. It should contain the following code to confirm that application and session variables are enabled:

<cfdump var="#application#">

<cfdump var="#session#">

Phinehas1234 wrote: I use my development computer and server to surf the file after login with the same account. Their #application# information are the same. But their #session# information are different. In the #session# part, they only have the same value of cfauthorization_testdb. Their password and userid value are empty string. cfid, cftoken, sessionid and urltoken are different.

That is how it should be. Now, another crucial test: add the following to the test page to identify the user currently logged in

Current logged in user: <cfoutput>#getAuthUser()#</cfoutput>

Phinehas1234 wrote: Their output are the same. They show me the login account name. (Some special account are used by several users in the same period.)

So far so good. They are all logged in. What happens when one of the accounts now goes to the logout page and, following that, the remaining accounts go to the test page?

Phinehas1234 wrote: When I logout the development computer, the test page in development computer returns to login page. It is correctly. In server, I refresh test page and it return the login page and request login account and password.

Repeat the last test using the setting loginStorage="cookie".

I did not expect that. That then is the core of the problem.

In my own tests the other accounts remain logged in! I am looking into it, and will return shortly.

First, the bad news, if we can call it that: the result I have just reported is false-positive. I am using Internet Explorer and Firefox to simulate different users. Explorer was caching the test pages. 

I have now been able to conclusively reproduce your result. When the current user goes to a page containing the cflogout tag, ColdFusion does indeed delete from memory the username, password and roles that were registered in cfloginuser. This is apparently application wide, and applies to all users sharing those same credentials.

Following the logout page, the result of visiting a page containing the code getAuthUser() will be an empty string for all the users. Also, ColdFusion will run the cflogin tag for all the users, sending them to the login page.

Now the good news. Your application is named "testdb". I am also assuming you have set loginStorage to "session". Then, for a user who has been logged in by means of cfloginuser, who has not visited the logout page and whose session is still active, the variable session.cfauthorization_testdb is defined and is a non-empty string. In other words, for the single user who visited the logout page, and for him alone,  session.cfauthorization_testdb will be undefined.

This suggests one solution, like this

<cfif NOT isDefined("session.cfauthorization_testdb") OR session.cfauthorization_testdb is "">

<cflogin>

...

...

</cflogin>

</cfif>

i have same issue.

on logout i have:

<cflogout>

<!--- Clear all session vars --->

<cflock timeout="10" throwontimeout="Yes" type="Exclusive" scope="Session"> 

<cfloop collection="#session#" item="i">   

<cfset i=StructDelete(session, i)> 

</cfloop>

</cflock>

however, if i remove <cflogout> it seems to work.

i can therefore login to 2 different machines with same login,  i can then logout of 1st machine and i will still be logged on to the 2nd machine, whereas using cflogout will log both users out at same time.

are there any other implications of removing cflogout in this case?

This thread is too old. Start your own. In fact you might even have a higher chance of success.