19 Replies Latest reply: Jun 28, 2012 4:38 AM by BKBK RSS

    cflogout Problem

    Phinehas1234

      Hi,

       

          I have a web application which use cflogin and cflogout as the authentication. Since we have some special accounts that can be used by different people, we allow multiple login to the system.

       

          However, we encounter a problem. When there are two or more people login the same account, they can input data and do the query in their computer. But, when one of them logouts the account, all others will also be logout and their inputted data (still have not updated to server) are lost.

       

          Is there any methods to solve it? Can cflogout only logout one session? not kill all sessions (login with the same account)?

        • 1. Re: cflogout Problem
          BKBK CommunityMVP

          That indeed seems strange. I expect cflogout not to log out or kill sessions. Not even the session of the current user. It should simply delete the currently logged in username, password and roles from memory.

           

          What is the value of loginStorage in the Application file? Have you perhaps mistakenly added code in the cflogout page which globally affects sessions?

          • 2. Re: cflogout Problem
            Phinehas1234 Community Member

            I'm sorry. I am a beginner of ColdFusion and users report this problem in our existing system. May I know where is the loginStorage in application.cfm? I will check it tomorrow when I'm in office.

            • 3. Re: cflogout Problem
              BKBK CommunityMVP

              LoginStrorage is an attribute of the cfapplication tag. It can take values "cookie"(the default) or "session", and tells ColdFusion where to store the login information. Could show us any of your login/logout code that involves variables in the application and session scopes?

              • 4. Re: cflogout Problem
                Phinehas1234 Community Member

                Let me check it first when I'm in office.

                • 5. Re: cflogout Problem
                  Phinehas1234 Community Member

                  Hi,

                   

                  In application.cfm, the cfapplication tag is:

                  <cfapplication name="testdb">

                  cflogin tag:

                  <cfloginuser name="#form.userID#" password="#form.password#" roles="#u_role#">

                  cflogout file:

                  contain <cflogout>

                   

                  I have tried to change the cfapplication tag to:

                  <cfapplication name="testdb" sessionmanagement="yes" setclientcookies="no" sessiontimeout="#createtimespan(0, 10, 0, 0)#">

                   

                  But the problem still existing.

                   

                  Is there anything I have missing to set? And, is there any configure in ColdFusion Administration Page (since I do not have access right on it, I have no idea on the configure in admin page)?

                  • 6. Re: cflogout Problem
                    Phinehas1234 Community Member

                    I have an idea on solving this problem.

                     

                    When user logs in system successfully, it stores username and password in Session / Cookie variable. Then, everytimes the page loads, it checks the Session / Cookie variable and assign their value to form value if they contains user information. Next, it logins again. When user log out the system, it set Session / Cookie variable to empty string "". It seems it can solve the problem.

                     

                    However, I think it is not the best solution on it. Is there any methods to solve the problem?

                    • 7. Re: cflogout Problem
                      BKBK CommunityMVP

                      Phinehas1234 wrote:

                       

                      In application.cfm, the cfapplication tag is:

                      <cfapplication name="testdb">

                      cflogin tag:

                      <cfloginuser name="#form.userID#" password="#form.password#" roles="#u_role#">

                      cflogout file:

                      contain <cflogout>

                       

                      I have tried to change the cfapplication tag to:

                      <cfapplication name="testdb" sessionmanagement="yes" setclientcookies="no" sessiontimeout="#createtimespan(0, 10, 0, 0)#">

                       

                      But the problem still existing.

                       

                      Is there anything I have missing to set? And, is there any configure in ColdFusion Administration Page (since I do not have access right on it, I have no idea on the configure in admin page)?

                      What you have done so far seems to be all right. However, here are some suggestions:

                       

                      - Ensure the file name is Application.cfm

                       

                      - The default value of loginStorage is "cookie". That is its implicit value when you omit the attribute. By omitting the attribute, you are therefore instructing ColdFusion to store the login information in a cookie. However, your current setting setclientcookies="no" instructs ColdFusion not to send any cookies to the client!

                       

                      Try this instead: <cfapplication name="testdb" sessionmanagement="yes" setclientcookies="yes" loginStorage="session" sessiontimeout="#createtimespan(0, 10, 0, 0)#">

                       

                      - You don't necessarily need access to the Administrator. Create a page called test.cfm, say. It should contain the following code to confirm that application and session variables are enabled:

                      <cfdump var="#application#">

                      <cfdump var="#session#">

                      • 8. Re: cflogout Problem
                        Phinehas1234 Community Member

                        Hi,

                         

                        I have tested it. But the problem still exist.

                         

                        I change rename the file as Application.cfm and set the setclientcookies to yes. But the problem still exist.

                         

                        But, I find some information from the test.cfm.

                         

                        I use my development computer and server to surf the file after login with the same account. Their #application# information are the same. But their #session# information are different.

                         

                        In the #session# part, they only have the same value of cfauthorization_testdb. Their password and userid value are empty string. cfid, cftoken, sessionid and urltoken are different.

                        • 9. Re: cflogout Problem
                          BKBK CommunityMVP

                          Phinehas1234 wrote:

                          I use my development computer and server to surf the file after login with the same account. Their #application# information are the same. But their #session# information are different.

                           

                          In the #session# part, they only have the same value of cfauthorization_testdb. Their password and userid value are empty string. cfid, cftoken, sessionid and urltoken are different.

                          That is how it should be. Now, another crucial test: add the following to the test page to identify the user currently logged in

                           

                          Current logged in user: <cfoutput>#getAuthUser()#</cfoutput>

                          • 10. Re: cflogout Problem
                            Phinehas1234 Community Member

                            Their output are the same. They show me the login account name. (Some special account are used by several users in the same period.)

                            • 11. Re: cflogout Problem
                              BKBK CommunityMVP

                              Phinehas1234 wrote:

                               

                              Their output are the same. They show me the login account name. (Some special account are used by several users in the same period.)

                              So far so good. They are all logged in. What happens when one of the accounts now goes to the logout page and, following that, the remaining accounts go to the test page?

                              • 12. Re: cflogout Problem
                                Phinehas1234 Community Member

                                When I logout the development computer, the test page in development computer returns to login page. It is correctly.

                                 

                                In server, I refresh test page and it return the login page and request login account and password.

                                • 13. Re: cflogout Problem
                                  BKBK CommunityMVP

                                  Phinehas1234 wrote:

                                   

                                  When I logout the development computer, the test page in development computer returns to login page. It is correctly.

                                   

                                  In server, I refresh test page and it return the login page and request login account and password.

                                  Repeat the last test using the setting loginStorage="cookie".

                                  • 14. Re: cflogout Problem
                                    Phinehas1234 Community Member

                                    The result are the same. The test page in server logout.

                                     

                                    Also, I find that the form.userID and form.password are not defined in both development computer and server after logout.

                                    • 15. Re: cflogout Problem
                                      BKBK CommunityMVP

                                      I did not expect that. That then is the core of the problem.

                                       

                                      In my own tests the other accounts remain logged in! I am looking into it, and will return shortly.

                                      • 16. Re: cflogout Problem
                                        BKBK CommunityMVP

                                        First, the bad news, if we can call it that: the result I have just reported is false-positive. I am using Internet Explorer and Firefox to simulate different users. Explorer was caching the test pages. 

                                         

                                        I have now been able to conclusively reproduce your result. When the current user goes to a page containing the cflogout tag, ColdFusion does indeed delete from memory the username, password and roles that were registered in cfloginuser. This is apparently application wide, and applies to all users sharing those same credentials.

                                         

                                        Following the logout page, the result of visiting a page containing the code getAuthUser() will be an empty string for all the users. Also, ColdFusion will run the cflogin tag for all the users, sending them to the login page.

                                         

                                        Now the good news. Your application is named "testdb". I am also assuming you have set loginStorage to "session". Then, for a user who has been logged in by means of cfloginuser, who has not visited the logout page and whose session is still active, the variable session.cfauthorization_testdb is defined and is a non-empty string. In other words, for the single user who visited the logout page, and for him alone,  session.cfauthorization_testdb will be undefined.

                                         

                                        This suggests one solution, like this

                                         

                                        <cfif NOT isDefined("session.cfauthorization_testdb") OR session.cfauthorization_testdb is "">

                                        <cflogin>

                                        ...

                                        ...

                                        </cflogin>

                                        </cfif>

                                        • 17. Re: cflogout Problem
                                          Phinehas1234 Community Member

                                          Hi,

                                           

                                          Thanks for your response.

                                           

                                          However, since my company has many application that is using ColdFusion and the same login method, we have some difficulties on updating all applications for this issue. Every page in our applications will check the form.userID and form.password before loading the content. Therefore, is there any patch updates or method to solve this problem with the fewest workload without affecting the application performance?

                                          • 18. Re: cflogout Problem
                                            coylo

                                            i have same issue.

                                             

                                            on logout i have:

                                             

                                            <cflogout>

                                            <!--- Clear all session vars --->

                                            <cflock timeout="10" throwontimeout="Yes" type="Exclusive" scope="Session"> 

                                            <cfloop collection="#session#" item="i">   

                                            <cfset i=StructDelete(session, i)> 

                                            </cfloop>

                                            </cflock>

                                             

                                            however, if i remove <cflogout> it seems to work.

                                            i can therefore login to 2 different machines with same login,  i can then logout of 1st machine and i will still be logged on to the 2nd machine, whereas using cflogout will log both users out at same time.

                                             

                                            are there any other implications of removing cflogout in this case?

                                            • 19. Re: cflogout Problem
                                              BKBK CommunityMVP

                                              This thread is too old. Start your own. In fact you might even have a higher chance of success.