Skip navigation
Currently Being Moderated

cflogout Problem

Oct 10, 2011 9:18 PM

Hi,

 

    I have a web application which use cflogin and cflogout as the authentication. Since we have some special accounts that can be used by different people, we allow multiple login to the system.

 

    However, we encounter a problem. When there are two or more people login the same account, they can input data and do the query in their computer. But, when one of them logouts the account, all others will also be logout and their inputted data (still have not updated to server) are lost.

 

    Is there any methods to solve it? Can cflogout only logout one session? not kill all sessions (login with the same account)?

 
Replies
  • Currently Being Moderated
    Oct 11, 2011 7:37 AM   in reply to Phinehas1234

    That indeed seems strange. I expect cflogout not to log out or kill sessions. Not even the session of the current user. It should simply delete the currently logged in username, password and roles from memory.

     

    What is the value of loginStorage in the Application file? Have you perhaps mistakenly added code in the cflogout page which globally affects sessions?

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 11, 2011 8:19 AM   in reply to Phinehas1234

    LoginStrorage is an attribute of the cfapplication tag. It can take values "cookie"(the default) or "session", and tells ColdFusion where to store the login information. Could show us any of your login/logout code that involves variables in the application and session scopes?

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 12, 2011 1:17 AM   in reply to Phinehas1234

    Phinehas1234 wrote:

     

    In application.cfm, the cfapplication tag is:

    <cfapplication name="testdb">

    cflogin tag:

    <cfloginuser name="#form.userID#" password="#form.password#" roles="#u_role#">

    cflogout file:

    contain <cflogout>

     

    I have tried to change the cfapplication tag to:

    <cfapplication name="testdb" sessionmanagement="yes" setclientcookies="no" sessiontimeout="#createtimespan(0, 10, 0, 0)#">

     

    But the problem still existing.

     

    Is there anything I have missing to set? And, is there any configure in ColdFusion Administration Page (since I do not have access right on it, I have no idea on the configure in admin page)?

    What you have done so far seems to be all right. However, here are some suggestions:

     

    - Ensure the file name is Application.cfm

     

    - The default value of loginStorage is "cookie". That is its implicit value when you omit the attribute. By omitting the attribute, you are therefore instructing ColdFusion to store the login information in a cookie. However, your current setting setclientcookies="no" instructs ColdFusion not to send any cookies to the client!

     

    Try this instead: <cfapplication name="testdb" sessionmanagement="yes" setclientcookies="yes" loginStorage="session" sessiontimeout="#createtimespan(0, 10, 0, 0)#">

     

    - You don't necessarily need access to the Administrator. Create a page called test.cfm, say. It should contain the following code to confirm that application and session variables are enabled:

    <cfdump var="#application#">

    <cfdump var="#session#">

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 12, 2011 4:03 AM   in reply to Phinehas1234

    Phinehas1234 wrote:

    I use my development computer and server to surf the file after login with the same account. Their #application# information are the same. But their #session# information are different.

     

    In the #session# part, they only have the same value of cfauthorization_testdb. Their password and userid value are empty string. cfid, cftoken, sessionid and urltoken are different.

    That is how it should be. Now, another crucial test: add the following to the test page to identify the user currently logged in

     

    Current logged in user: <cfoutput>#getAuthUser()#</cfoutput>

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 12, 2011 10:49 PM   in reply to Phinehas1234

    Phinehas1234 wrote:

     

    Their output are the same. They show me the login account name. (Some special account are used by several users in the same period.)

    So far so good. They are all logged in. What happens when one of the accounts now goes to the logout page and, following that, the remaining accounts go to the test page?

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 13, 2011 12:02 AM   in reply to Phinehas1234

    Phinehas1234 wrote:

     

    When I logout the development computer, the test page in development computer returns to login page. It is correctly.

     

    In server, I refresh test page and it return the login page and request login account and password.

    Repeat the last test using the setting loginStorage="cookie".

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 13, 2011 12:30 AM   in reply to Phinehas1234

    I did not expect that. That then is the core of the problem.

     

    In my own tests the other accounts remain logged in! I am looking into it, and will return shortly.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 13, 2011 1:57 AM   in reply to Phinehas1234

    First, the bad news, if we can call it that: the result I have just reported is false-positive. I am using Internet Explorer and Firefox to simulate different users. Explorer was caching the test pages. 

     

    I have now been able to conclusively reproduce your result. When the current user goes to a page containing the cflogout tag, ColdFusion does indeed delete from memory the username, password and roles that were registered in cfloginuser. This is apparently application wide, and applies to all users sharing those same credentials.

     

    Following the logout page, the result of visiting a page containing the code getAuthUser() will be an empty string for all the users. Also, ColdFusion will run the cflogin tag for all the users, sending them to the login page.

     

    Now the good news. Your application is named "testdb". I am also assuming you have set loginStorage to "session". Then, for a user who has been logged in by means of cfloginuser, who has not visited the logout page and whose session is still active, the variable session.cfauthorization_testdb is defined and is a non-empty string. In other words, for the single user who visited the logout page, and for him alone,  session.cfauthorization_testdb will be undefined.

     

    This suggests one solution, like this

     

    <cfif NOT isDefined("session.cfauthorization_testdb") OR session.cfauthorization_testdb is "">

    <cflogin>

    ...

    ...

    </cflogin>

    </cfif>

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 28, 2012 3:45 AM   in reply to Phinehas1234

    i have same issue.

     

    on logout i have:

     

    <cflogout>

    <!--- Clear all session vars --->

    <cflock timeout="10" throwontimeout="Yes" type="Exclusive" scope="Session"> 

    <cfloop collection="#session#" item="i">   

    <cfset i=StructDelete(session, i)> 

    </cfloop>

    </cflock>

     

    however, if i remove <cflogout> it seems to work.

    i can therefore login to 2 different machines with same login,  i can then logout of 1st machine and i will still be logged on to the 2nd machine, whereas using cflogout will log both users out at same time.

     

    are there any other implications of removing cflogout in this case?

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 28, 2012 4:38 AM   in reply to coylo

    This thread is too old. Start your own. In fact you might even have a higher chance of success.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points