-
1. Re: cflogout Problem
BKBK Oct 11, 2011 7:37 AM (in response to Phinehas1234)That indeed seems strange. I expect cflogout not to log out or kill sessions. Not even the session of the current user. It should simply delete the currently logged in username, password and roles from memory.
What is the value of loginStorage in the Application file? Have you perhaps mistakenly added code in the cflogout page which globally affects sessions?
-
2. Re: cflogout Problem
Phinehas1234 Oct 11, 2011 7:43 AM (in response to BKBK)I'm sorry. I am a beginner of ColdFusion and users report this problem in our existing system. May I know where is the loginStorage in application.cfm? I will check it tomorrow when I'm in office.
-
3. Re: cflogout Problem
BKBK Oct 11, 2011 8:19 AM (in response to Phinehas1234)LoginStrorage is an attribute of the cfapplication tag. It can take values "cookie"(the default) or "session", and tells ColdFusion where to store the login information. Could show us any of your login/logout code that involves variables in the application and session scopes?
-
4. Re: cflogout Problem
Phinehas1234 Oct 11, 2011 8:24 AM (in response to BKBK)Let me check it first when I'm in office.
-
5. Re: cflogout Problem
Phinehas1234 Oct 11, 2011 5:35 PM (in response to BKBK)Hi,
In application.cfm, the cfapplication tag is:
<cfapplication name="testdb">
cflogin tag:
<cfloginuser name="#form.userID#" password="#form.password#" roles="#u_role#">
cflogout file:
contain <cflogout>
I have tried to change the cfapplication tag to:
<cfapplication name="testdb" sessionmanagement="yes" setclientcookies="no" sessiontimeout="#createtimespan(0, 10, 0, 0)#">
But the problem still existing.
Is there anything I have missing to set? And, is there any configure in ColdFusion Administration Page (since I do not have access right on it, I have no idea on the configure in admin page)?
-
6. Re: cflogout Problem
Phinehas1234 Oct 11, 2011 8:13 PM (in response to Phinehas1234)I have an idea on solving this problem.
When user logs in system successfully, it stores username and password in Session / Cookie variable. Then, everytimes the page loads, it checks the Session / Cookie variable and assign their value to form value if they contains user information. Next, it logins again. When user log out the system, it set Session / Cookie variable to empty string "". It seems it can solve the problem.
However, I think it is not the best solution on it. Is there any methods to solve the problem?
-
7. Re: cflogout Problem
BKBK Oct 12, 2011 1:17 AM (in response to Phinehas1234)Phinehas1234 wrote:
In application.cfm, the cfapplication tag is:
<cfapplication name="testdb">
cflogin tag:
<cfloginuser name="#form.userID#" password="#form.password#" roles="#u_role#">
cflogout file:
contain <cflogout>
I have tried to change the cfapplication tag to:
<cfapplication name="testdb" sessionmanagement="yes" setclientcookies="no" sessiontimeout="#createtimespan(0, 10, 0, 0)#">
But the problem still existing.
Is there anything I have missing to set? And, is there any configure in ColdFusion Administration Page (since I do not have access right on it, I have no idea on the configure in admin page)?
What you have done so far seems to be all right. However, here are some suggestions:
- Ensure the file name is Application.cfm
- The default value of loginStorage is "cookie". That is its implicit value when you omit the attribute. By omitting the attribute, you are therefore instructing ColdFusion to store the login information in a cookie. However, your current setting setclientcookies="no" instructs ColdFusion not to send any cookies to the client!
Try this instead: <cfapplication name="testdb" sessionmanagement="yes" setclientcookies="yes" loginStorage="session" sessiontimeout="#createtimespan(0, 10, 0, 0)#">
- You don't necessarily need access to the Administrator. Create a page called test.cfm, say. It should contain the following code to confirm that application and session variables are enabled:
<cfdump var="#application#">
<cfdump var="#session#">
-
8. Re: cflogout Problem
Phinehas1234 Oct 12, 2011 2:04 AM (in response to BKBK)Hi,
I have tested it. But the problem still exist.
I change rename the file as Application.cfm and set the setclientcookies to yes. But the problem still exist.
But, I find some information from the test.cfm.
I use my development computer and server to surf the file after login with the same account. Their #application# information are the same. But their #session# information are different.
In the #session# part, they only have the same value of cfauthorization_testdb. Their password and userid value are empty string. cfid, cftoken, sessionid and urltoken are different.
-
9. Re: cflogout Problem
BKBK Oct 12, 2011 4:03 AM (in response to Phinehas1234)Phinehas1234 wrote:
I use my development computer and server to surf the file after login with the same account. Their #application# information are the same. But their #session# information are different.
In the #session# part, they only have the same value of cfauthorization_testdb. Their password and userid value are empty string. cfid, cftoken, sessionid and urltoken are different.
That is how it should be. Now, another crucial test: add the following to the test page to identify the user currently logged in
Current logged in user: <cfoutput>#getAuthUser()#</cfoutput>
-
10. Re: cflogout Problem
Phinehas1234 Oct 12, 2011 5:30 PM (in response to BKBK)Their output are the same. They show me the login account name. (Some special account are used by several users in the same period.)
-
11. Re: cflogout Problem
BKBK Oct 12, 2011 10:49 PM (in response to Phinehas1234)Phinehas1234 wrote:
Their output are the same. They show me the login account name. (Some special account are used by several users in the same period.)
So far so good. They are all logged in. What happens when one of the accounts now goes to the logout page and, following that, the remaining accounts go to the test page?
-
12. Re: cflogout Problem
Phinehas1234 Oct 12, 2011 11:17 PM (in response to BKBK)When I logout the development computer, the test page in development computer returns to login page. It is correctly.
In server, I refresh test page and it return the login page and request login account and password.
-
13. Re: cflogout Problem
BKBK Oct 13, 2011 12:02 AM (in response to Phinehas1234)Phinehas1234 wrote:
When I logout the development computer, the test page in development computer returns to login page. It is correctly.
In server, I refresh test page and it return the login page and request login account and password.
Repeat the last test using the setting loginStorage="cookie".
-
14. Re: cflogout Problem
Phinehas1234 Oct 13, 2011 12:21 AM (in response to BKBK)The result are the same. The test page in server logout.
Also, I find that the form.userID and form.password are not defined in both development computer and server after logout.
-
15. Re: cflogout Problem
BKBK Oct 13, 2011 12:30 AM (in response to Phinehas1234)I did not expect that. That then is the core of the problem.
In my own tests the other accounts remain logged in! I am looking into it, and will return shortly.
-
16. Re: cflogout Problem
BKBK Oct 13, 2011 1:57 AM (in response to Phinehas1234)First, the bad news, if we can call it that: the result I have just reported is false-positive. I am using Internet Explorer and Firefox to simulate different users. Explorer was caching the test pages.
I have now been able to conclusively reproduce your result. When the current user goes to a page containing the cflogout tag, ColdFusion does indeed delete from memory the username, password and roles that were registered in cfloginuser. This is apparently application wide, and applies to all users sharing those same credentials.
Following the logout page, the result of visiting a page containing the code getAuthUser() will be an empty string for all the users. Also, ColdFusion will run the cflogin tag for all the users, sending them to the login page.
Now the good news. Your application is named "testdb". I am also assuming you have set loginStorage to "session". Then, for a user who has been logged in by means of cfloginuser, who has not visited the logout page and whose session is still active, the variable session.cfauthorization_testdb is defined and is a non-empty string. In other words, for the single user who visited the logout page, and for him alone, session.cfauthorization_testdb will be undefined.
This suggests one solution, like this
<cfif NOT isDefined("session.cfauthorization_testdb") OR session.cfauthorization_testdb is "">
<cflogin>
...
...
</cflogin>
</cfif>
-
17. Re: cflogout Problem
Phinehas1234 Oct 13, 2011 9:25 PM (in response to BKBK)Hi,
Thanks for your response.
However, since my company has many application that is using ColdFusion and the same login method, we have some difficulties on updating all applications for this issue. Every page in our applications will check the form.userID and form.password before loading the content. Therefore, is there any patch updates or method to solve this problem with the fewest workload without affecting the application performance?
-
18. Re: cflogout Problem
coylo Jun 28, 2012 3:45 AM (in response to Phinehas1234)i have same issue.
on logout i have:
<cflogout>
<!--- Clear all session vars --->
<cflock timeout="10" throwontimeout="Yes" type="Exclusive" scope="Session">
<cfloop collection="#session#" item="i">
<cfset i=StructDelete(session, i)>
</cfloop>
</cflock>
however, if i remove <cflogout> it seems to work.
i can therefore login to 2 different machines with same login, i can then logout of 1st machine and i will still be logged on to the 2nd machine, whereas using cflogout will log both users out at same time.
are there any other implications of removing cflogout in this case?
-
19. Re: cflogout Problem
BKBK Jun 28, 2012 4:38 AM (in response to coylo)This thread is too old. Start your own. In fact you might even have a higher chance of success.

