cflogin and different browsers

Report · Jul 30, 2007

I have searched this forum and the internet high and low and can not for the life of me find this answer, so any CF guru who has seen this, please let me know what you've found.

I have built a simple application security framework using cflogin, cfloginuser, j_username, j_password, etc.
This works fine in any browser of choice (I personally test on IE, FF, Opera, NN and Safari on Windows).

The problem arises when I try to login to another browser. If I log in on FF, then it works fine, but the minute I login to IE at the same time, it skips cflogin code, thus trying to process other code it shouldn't be able to get to. Now if I log out of FF, then it works fine in IE. It's the same way for any other browser combination (or all of them). I can only be logged into 1 browser at a time.

Another weird anomaly, is that it seems like it's skipping what is in the cflogin tag...but if I login with bogus credentials, it processes the cflogin code and brings back that I am using bad credentials.

So to reiterate...
1. I can only login to 1 browser at a time
2. It skips cflogin if the credentials are good.
3. It processes cflogin if the credentials are bad.

Here is my code (some things changed for security and non-disclosure reasons)

quote:

<cfcomponent>


<cfscript>
this.name = 'myApp';
this.sessionManagement = true;
this.sessionTimeout = CreateTimeSpan(0,1,0,0);
this.sessionStorage = 'cookie';
this.applicationTimeout = CreateTimeSpan(0,1,0,0);
this.loginStorage = 'session';
this.setClientCookies = true;

request.dsn = 'myDbName';
request.cfc = 'www.inc.cfc';
</cfscript>


<cffunction name="onRequestStart">

<cfif GetBaseTemplatePath() CONTAINS "\admin\">

<cflogin idletimeout="3600">
<cfif NOT IsDefined("cflogin")>
<cfinclude template="admin/login.cfm">
<cfabort>

<cfelse>

<cfquery name="getUser" datasource="#request.dsn#">
SELECT *
FROM users
WHERE userStatus = 1
AND userUsername = '#cflogin.name#'
AND userPassword = '#cflogin.password#'
</cfquery>

<cfif getUser.recordCount IS 1>
<cfif ISDefined('form.changePW')>
<cfscript>
args = StructNew();
args.username = '#cflogin.name#';
args.password = '#cflogin.password#';
args.newPass = '#form.newPass#';
</cfscript>
<cfinvoke component="#request.cfc#.userAdmin" method="pw" argumentcollection="#args#" returnvariable="vars.success"></cfinvoke>
<cfif vars.success IS false><cflocation url="#cgi.script_name#?msg=2" addtoken="no"><cfelse><cfset url.msg = 3></cfif>
</cfif>
<cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="#ValueList(getUser.userGroup)#" />
<cfelse>
<cflocation url="#request.adminRoot#/index.cfm?msg=1" addtoken="no">
</cfif>


<cfquery name="getUserPerms" datasource="#request.dsn#">
SELECT p.*, r.*, pg.*, ug.*
FROM permissions AS p
INNER JOIN rights AS r ON r.rtsCode = p.permRightsID
INNER JOIN pages AS pg ON pg.pageID = p.permPageID
INNER JOIN userGroups AS ug ON ug.ugrpID = p.permGroupID
WHERE ug.ugrpID IN ('#getUser.userGroup#')
AND r.rtsStatus = 1
AND pg.pageStatus = 1
AND ug.ugrpStatus = 1
ORDER BY pageFile
</cfquery>


<cflock scope="session" timeout="10">
<cfscript>
session.user = StructNew();
session.user.loggedIn = true;
session.user.username = '#cflogin.name#';
session.user.userFirstName = '#getUser.userFirstName#';
session.user.userLastName = '#getUser.userLastName#';
session.user.userAccount = '#getUser.userAccount#';
session.user.userGroup = '#getUser.userGroup#';
session.user.rights = StructNew();
if(getUserPerms.recordCount IS NOT 0){
session.user.ugrpGroupAssign = '#getUserPerms.ugrpGroupAssign#';
for(p=1; p LTE getUserPerms.recordCount; p=p+1){
SetVariable("session.user.rights.#getUserPerms.pageCode
#.access", "#getUserPerms.permRightsID
#");
}
}
</cfscript>
</cflock>
</cfif>
</cflogin>


<cfset request.pageArray = ListToArray(GetBaseTemplatePath(), '\')>
<cfset vars.pageArray = request.pageArray>
<cfif ISDefined('session.user.rights')>
<cfset vars.accessVar = "session.user.rights.#ListFirst(vars.pageArray[ArrayLen(vars.pageArray)], '.')#.access">
<cflock scope="session" timeout="10">
<cfif ISDefined(vars.accessVar)>
<cfset session.user.thisPageAccess = "#Evaluate(vars.accessVar)#">
<cfelse>
<cfset session.user.thisPageAccess = "n">
</cfif>
</cflock>
</cfif>

<cfif NOT ListFindNoCase('login.cfm,logout.cfm',vars.pageArray[ArrayLen(vars.pageArray)])>
<cfif session.user.thisPageAccess IS 'n'>
<cflocation url="#request.adminRoot#" addtoken="no">
</cfif>
</cfif>
</cfif>
</cffunction>

</cfcomponent>

Any ideas?

Thanks

Report · Jul 31, 2007

Dump your session and cookie scopes and see if the cfid/cftoken or jsessionid cookies are the same in each browser. If they are the same, which is unlikley, then there is a problem with CF's session management.

These cookies are used to identify an individual session within CF's realm.

Report · Aug 01, 2007

Dumped those variable scopes and they are different. However the cfauthorization variable in the session scope is the same. I think I read it's an encrypted version of like the username, application, etc so it makes sense it would be the same.

I did some additional testing and found out that across 2 computers (same or different browsers), it won't work either. It's allowing the login on both computers, but because when I login on the 2nd computer, it won't run the cflogin tag again to actually authorize the username and password because it thinks I'm already logged in...therefore session variables that are set upon login...don't get set.

I did read that if you don't specify "this.loginStorage", it defaults to the server's memory, and that would make sense that it wouldn't work, but you can clearly see I have set a login storage location that is not the server.

The only common denominator in all this is the server so somehow, the server is storing login information and not allowing me to login on computer 2 until I logout of computer 1.

Thanks

Report · Aug 02, 2007

Well, that is quite interesting. First, make sure you have var'ed all of your function-local variables.

Are you behind a firewall that may be sharing your session cookies with all computers? Dump out the CGI scope and see if the information is different/same on those two computers.

Report · Sep 01, 2008

Wow, this is over a year old so perhaps this is no longer an issue. Also, I have done absolutely NO testing of this myself so perhaps I'm completely off base here, but you mentioned you get this issue with IE and FF. Is that the only two browser where you see this problem? Or will it also with with FF and NN, Opera and Safari, etc.... Perhaps you can isolate this down to a specific set of browers. I know you can set FF to use IE cookies so perhaps that is your problem???

Adobe Community

cflogin and different browsers