CFLogin

Report · Feb 08, 2007

I am having a problem with CFLogin and my session variables. As I have LoginStorage set to session, in theory my cflogin credentials should expire at the same time as my session variables do. If I login as a user and wait for my session to expire at first glance all apears to be functioning correctly. That is I am presented with the login page after clicking on a link. So far so good. However, when I try to login again, I am authenticated but I receive a message that my Session variables are not defined. If I click on my logout button (which initiates CFLogout) and then re-enter my username and password everything is fine. So it appears that the epiration of CFLOGIN is not the same as CFLOGOUT. I guess I have a lot to learn with cflogin. Your help is most welcome.

Report · Feb 08, 2007

try adding timeout="#createtimespan()#" into <cflogin> tag. i remember doing it before, but can't remeber if it helped or not...

Report · Feb 08, 2007

Actually I had already tried that and it doesn't work either. I just have to figure out how coldfusion handles a logout due to the expiration of a session when tied to Login Storage, or expiration of Idletimeout, or closing the browser window. All three of these methods give me the same result. Only CFLogout does what it is suppose to. So obviously Coldfusion handles it differently then the other three.

Report · Feb 09, 2007

> I just have to figure out how coldfusion handles a logout due to the
> expiration of a session when tied to Login Storage, or expiration of
> Idletimeout, or closing the browser window. All three of these methods
> give me the same result. Only CFLogout does what it is suppose to.
> So obviously Coldfusion handles it differently then the other three.

The key principle is, Coldfusion does not execute the cflogin tag as long as the user is logged in. And what does it mean for the user to be logged in? It means the tag cfloginuser ran, plus Coldfusion has not begun a new session, the current session has not timed out and coldfusion has not run the cflogout tag.

Coldfusion keeps track by creating a security context for that client in memory. At every request, it compares what it has in memory with what the client is passing to it. If there isn't a match, it logs the user out.

Without the cflogout tag, telling when Coldfusion will log the client out is not an exact science. In practice, with loginStorage set to "session", Coldfusion stores login details in the Session.cfauthorization variable and will use session cookies to identify the client. If for whatever reason Coldfusion begins a new session or the session-cookies are erased or changed or the current session expires, Coldfusion will log the user out. There are other matters to take into account. One, if Coldfusion is configured with ordinary (not J2EE) sessions, the browser may close and reopen, and still maintain the same session. Two, the browser may reopen a cached page rather than make a new request. Three, even after a session has ended, Coldfusion might require up to thirty seconds to delete the session variables.

Matters are straightforward with J2EE sessions and cflogout. With J2EE sessions, if the browser closes and reopens, its next request will get Coldfusion to start a new session. Coldfusion then logs the client out. For either type of session management, the axe falls when the browser opens a page containing the cflogout tag. Coldfusion promptly logs the client out.

addendum: with loginStorage set to "session"

Adobe Community

CFLogin