1 2 Previous Next 40 Replies Latest reply on Feb 18, 2016 11:49 AM by mvierow

    CF11 : cflogin doesn't "stuck" after session/login timeout

    silmaril

      Hi,

       

      Since migrating from CFMX7 to CF11 we are experiencing some weird failure with cflogin (using session or cookie storage).

       

      Basically when we log-in on the application after a session/client timeout the first login doesn't last for longer than the login submit request.

      The second login however is OK

       

      I made a very simple application.cfc/index.cfm with short timeouts to check this:

       

       

      <cfcomponent

      output="false"

      hint="I define the application settings and event handlers.">

       

              <!--- Define the application settings. --->

              <cfset this.name = hash( getCurrentTemplatePath() ) />

              <cfset this.applicationTimeout = createTimeSpan( 0, 0, 10, 0 ) />

              <cfset this.sessionTimeout = createTimeSpan( 0, 0, 0, 10 ) />

       

              <!--- Set up the application. --->

              <cfset THIS.SessionManagement = true />

              <cfset THIS.ClientManagement = true />

              <cfset THIS.SetClientCookies = true />

              <cfset THIS.loginStorage = "Session" />

              <cfset THIS.clientStorage = "sidys" />

       

              <!--- Define the request settings. --->

              <cfsetting showdebugoutput="false" />

       

              <cffunction

                      name="OnRequestStart"

                      access="public"

                      returntype="boolean"

                      output="true"

                      hint="Fires at first part of page processing.">

                   

                      <!--- Define arguments. --->

                      <cfargument

                      name="TargetPage"

                      type="string"

                      required="true"

                      />

       

                      <cfset SetLocale("fr_FR") />

                   

                      <cfif IsDefined("Form.logout") or IsDefined("URL.logout")>

                              <cflogout />

                      </cfif>

       

                      <cflogin idletimeout="20">

                              <cfdump var="#Session#">

                              <cfinclude template="form.inc" />

       

      <cfif not isDefined("cflogin") or (cflogin.name IS "" OR cflogin.password IS "")>

              <cfoutput>

                      <form method="post">

                      <b>login :</b>

                      <input type="text" name="j_username" size="24" class="champ" />

                      <b>passwordnbsp;:</b>

                      <input type="password" name="j_password" size="15" class="champ" />

                      <input type="submit" value="Login" class="button" name="submit" />

                      </form>

              </cfoutput>

              <cfabort>

      <cfelse>

       

              <cflock timeout="10" scope="Session" type="exclusive">

                      <cfloginuser name="#cflogin.name#" Password="#cflogin.password#" roles="role">

                      <cfset Session.id=cflogin.name />

              </cflock>

      </cfif>

       

                      </cflogin>

       

                      <cfdump var="#Session#">

       

                      <cfif GetAuthUser() NEQ "">

                              <cfoutput>

                                      <form method="Post">

                                      <input type="submit" Name="Logout" value="Logout">

                                      </form>

                              </cfoutput>

                           

                      </cfif>

                   

                       <cfreturn true />

              </cffunction>

      </cfcomponent>

        • 1. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
          BKBK Adobe Community Professional & MVP

           

          <cfset this.name = hash( getCurrentTemplatePath() ) />

           

          Problematic, as the application's name changes per page request. Sessions are dependent on the application name. Therefore, the session will break whenever the template path changes.

           

          To verify this hypothesis, test it with

           

                  <cfset this.name = hash("test string") />

          <cfset this.applicationTimeout = createTimeSpan(1,0,0,0) />

          <cfset this.sessionTimeout = createTimeSpan(0,0,20,0 ) />

          • 2. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
            silmaril Level 1

            Well no, actually the TemplatePath() is the path to Application.cfc in this case. It's an example taken from bennadel.com blog, but i also did try a fixed application name, it doesn't change anything.

             

            Also: this exact same application behave correctly on a BlueDragon 7.1 server.

             

            Using loginStorage="Cookie" on CF11 however seem a bit better, but there are some weirdness occasionnaly.

            • 3. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
              BKBK Adobe Community Professional & MVP

              silmaril wrote:

               

              Well no, actually the TemplatePath() is the path to Application.cfc in this case. It's an example taken from bennadel.com blog, but i also did try a fixed application name, it doesn't change anything.

              You are right, I was thinking of the other one, getBaseTemplatePath(). I will have another look.

              • 4. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                BKBK Adobe Community Professional & MVP

                A possible cause of the issue is the combination,

                <cfset this.sessionTimeout = createTimeSpan( 0, 0, 0, 10 )> <!--- session timeout is 10 seconds --->

                <cfset THIS.loginStorage = "Session" />

                <cflogin idletimeout="20"> <!--- login timeout is 20 seconds --->

                This tells us that Coldfusion stores login information in the session. However, in all likelihood, the login is still active when the session times out. It is as weird as buying the ticket to watch a film between 7 PM and 9 PM, but the cinema closes between 8 PM and 9 PM.

                 

                What about testing with

                 

                <cfset this.applicationTimeout = createTimeSpan( 1, 0, 0, 0 )>

                <cfset this.sessionTimeout = createTimeSpan( 0, 0, 20, 0 )> <!--- session timeout is 20 minutes --->

                <cflogin idletimeout="1200"> <!--- login timeout is 20 minutes --->

                • 5. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                  silmaril Level 1

                  Well, sorry i should have posted it but i tried almost all combinations i could:

                  * cflogin timeout shorter that session timeout

                  * cflogin timeout longer that session timeout

                  * cflogin timeout equal to session timeout

                   

                  When longer or equal to session timeout i got this weird behavior,

                  when shorter i got another one weirder also: sometimes the <cflogin> block is being "executed" with the login/password previously used without me entering it....

                   

                  I'm looking to find an CF10 install to try and compare..

                  • 6. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                    BKBK Adobe Community Professional & MVP

                    Cflogin and session are on well-trodden ground, so any bugs there would have been found. The culprit is likely to be the code logic. I am having another look.

                    • 7. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                      silmaril Level 1

                      Thanks, i'm on it since last week without results ... except switching to loginStorage="Cookie" which doesn't have the problem apparently

                      • 8. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                        BKBK Adobe Community Professional & MVP

                        What if you modify the code like this, also making it more maintainable:

                         

                        Application.cfc

                         

                        <cfcomponent

                        output="false"

                        hint="I define the application settings and event handlers.">

                                <!--- Define the application settings. --->

                                <cfset this.name = hash(getCurrentTemplatePath()) />

                                <cfset this.applicationTimeout = createTimeSpan( 1, 0, 0, 0 ) />

                                <cfset this.sessionTimeout = createTimeSpan( 0, 0, 20, 0 ) />

                         

                                <!--- Set up the application. --->

                                <cfset THIS.SessionManagement = true />

                                <cfset THIS.ClientManagement = true />

                                <cfset THIS.SetClientCookies = true />

                                <cfset THIS.loginStorage = "Session" />

                                <cfset THIS.clientStorage = "sidys" />

                         

                                <!--- Define the request settings. --->

                                <cfsetting showdebugoutput="false" />

                         

                                <cffunction

                                        name="OnRequestStart"

                                        access="public"

                                        returntype="boolean"

                                        output="true"

                                        hint="Fires at first part of page processing.">

                                  

                                        <!--- Define arguments. --->

                                        <cfargument

                                        name="TargetPage"

                                        type="string"

                                        required="true"

                                        />

                         

                                        <cfset SetLocale("fr_FR") />

                                  

                                        <cfif IsDefined("Form.logout") or IsDefined("URL.logout")>

                                                <cflogout />

                                        </cfif>

                         

                                           <cflogin idletimeout="1200"> 

                                          <cfinclude template="form.inc" /> 

                                           <cfif isDefined("cflogin.name") AND cflogin.name IS NOT "" AND cflogin.password IS NOT "">

                                                 <!--- login form submitted, with username and password filled in --->                       

                                                 <cfloginuser name="#cflogin.name#" Password="#cflogin.password#" roles="role">

                                                 <cfset Session.id=cflogin.name />

                                          <cfelseif getAuthUser() IS "">

                                                  <!--- User not yet logged in --->

                                                  <cfinclude template="loginForm.cfm">

                                                  <cfabort>

                                         </cfif>

                                        </cflogin>

                         

                                <cfif getAuthUser() NEQ "">

                                    <cfinclude template="logoutForm.cfm">

                                    <cfabort>

                                </cfif> 

                            <cfreturn true />

                            </cffunction>

                        </cfcomponent>

                         

                        loginForm.cfm

                         

                        <form method="post">

                        <b>login :</b>

                        <input type="text" name="j_username" size="24" class="champ" />

                        <b>password :</b>

                        <input type="password" name="j_password" size="15" class="champ" />

                        <input type="submit" value="Login" class="button" name="submit" />

                        </form>

                             

                        logoutForm.cfm

                         

                        <form method="Post">

                        <input type="submit" Name="Logout" value="Logout">

                        </form>

                         

                         

                        Added edit: I removed the session lock, as I think it is unnecessary.

                        • 9. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                          silmaril Level 1

                          This code exemple is a very simplified exemple of my real code, it wasn't made to be manageable, only to be easier to paste

                          As for the session lock it was one of many attempt to fix the problem.

                           

                          I will try your version.

                           

                           

                          Well no, no changes, i've reduced the timeouts to 20s since i don't wait to wait 20minutes for the session timeout and i know that even with 4h sessions

                          it also happens.

                           

                          * You lgin, it's ok, you can redisplay (not re-POST) the logged-in page without trouble

                          * You let the session timeout

                          * You log-in again, it's ok

                          * You requery the application, well within the session timouet => you need to login again

                          * You log-in a second time and this time it's ok.

                           

                          There has been changes in CF11 for handling "allowconcurrent" option, i may be mistaken but it look like that the sesion timeout and this code doesn't work together cleanly...

                          • 10. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                            BKBK Adobe Community Professional & MVP

                            I have difficulty understanding the steps you outline in your last post. I now begin to suspect that there might be an issue with the way in which you test the login.

                             

                            Could we return to the beginning? You say that the issue is:

                            after a session/client timeout the first login doesn't last for longer than the login submit request

                            Could you please let us know the following:


                            1) What do you mean by "the first login doesn't last for longer than the login submit request"? How do you compare them? How do you know how long the login lasts? How do you know how long the login submit request lasts?

                             

                            2) What do you mean by "you can redisplay (not re-POST) the logged-in page without trouble"? What is the "logged-in page"?

                             

                            3) What do you mean by "you requery the application"? Do you mean, for example, "you request an arbitrary page, test.cfm, which dumps the session"?

                            • 11. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                              silmaril Level 1

                              Well it's very simple in fact:

                               

                              T=0: "GET /" => Got the loginForm

                              T=1: "POST /" => Got the application start page ("you're logged-in")

                              T=2: "GET /" => Got the application start page("you're logged-in")

                              T=31: "GET /" => Got the loginForm

                              T=32: "POST /" => Got the application start page ("you're logged-in")

                              T=33: "GET /" => Got the loginForm

                              T=34: "POST /" => Got the application start page ("you're logged-in")

                              T=35: "GET /" => Got the application start page ("you're logged-in")

                               

                              The problem is the "double login" required after the session timeout (T=31 with a 2às idle timeout) for the "logged-in" state to stuck accross queries.

                               

                              I did put some <cfdump var=#session#> on two location (beginning of <cflogin> tag, and just after the <cflogin tag)

                              • 12. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                BKBK Adobe Community Professional & MVP

                                T=1: "POST /" => Got the application start page ("you're logged-in")

                                That is ambiguous. It is posting and getting at the same time. To avoid ambiguity, please mention in each case the page/URL you are GETting from or POSTing to. It is crucial to know the list of CFM pages in the test and the sequence in which they are requested.

                                • 13. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                  silmaril Level 1

                                  It don't follow you, the cflogin intercept every request so all request are made to the same URL "/" as i wrote.

                                  When you POST the login+password the <cflogin is triggered and then the page processing continue to the index.cfm page you "get" the application start page

                                  • 14. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                    BKBK Adobe Community Professional & MVP

                                    Bear with me; I will rephrase the question. Are all requests in the test to the URL index.cfm? If so, does index.cfm have code similar to this:

                                     

                                    <cfif isDefined("session.id") and session.id is not "">

                                    you're logged-in

                                    </cfif>

                                    • 15. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                      BKBK Adobe Community Professional & MVP

                                      Are we also to assume that the page form.inc plays no role in this?

                                      • 16. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                        BKBK Adobe Community Professional & MVP

                                        If you are indeed using just one page, index.cfm, to test, then leave out the last cfabort tag I suggested. That is, use the following instead

                                         

                                        <cfif getAuthUser() NEQ "">

                                                    <cfinclude template="logoutForm.cfm">

                                                </cfif> 

                                        • 17. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                          silmaril Level 1

                                          > Bear with me; I will rephrase the question. Are all requests in the test to the URL index.cfm? If so, does index.cfm have code similar to this:

                                           

                                          Yes exactly

                                           

                                          > Are we also to assume that the page form.inc plays no role in this?

                                          I was a leftover to the simplification made for the posting, it's content is similar to your "loginForm.cfm"

                                           

                                          >If you are indeed using just one page, index.cfm, to test, then leave out the last cfabort tag I suggested. That is, use the following instead

                                          Yes but i doesn't really matter, with your cfabort it's the "logout form" that appear/disappear and allow to see if we are in fact logged-in.

                                          • 18. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                            BKBK Adobe Community Professional & MVP

                                            I created a directory and copied your code to it. The exception was that I set THIS.ClientManagement to false and commented out the lines <cfset THIS.clientStorage = "sidys" /> and <cfinclude template="form.inc" />.

                                             

                                            The code worked as expected. The files I used in the test are shown below.

                                             

                                            index.cfm

                                             

                                            We are in index.cfm<br>

                                            <cfdump var="#session#">

                                             

                                            Application.cfc

                                             

                                            <cfcomponent>

                                            <!--- Define the application settings. --->

                                            <cfset this.name = hash(getCurrentTemplatePath()) />

                                            <cfset this.applicationTimeout = createTimeSpan( 1, 0, 0, 0 ) />

                                            <cfset this.sessionTimeout = createTimeSpan( 0, 0, 0, 10 ) />

                                             

                                            <!--- Set up the application. --->

                                            <cfset THIS.SessionManagement = true />

                                            <cfset THIS.ClientManagement = false />

                                            <cfset THIS.SetClientCookies = true />

                                            <cfset THIS.loginStorage = "Session" />

                                            <!--- <cfset THIS.clientStorage = "sidys" /> --->

                                             

                                            <!--- Define the request settings. --->

                                            <cfsetting showdebugoutput="false" />

                                             

                                            <cffunction

                                                            name="OnRequestStart"

                                                            access="public"

                                                            returntype="boolean"

                                                            output="true"

                                                            hint="Fires at first part of page processing.">

                                                            <!--- Define arguments. --->

                                                            <cfargument

                                                            name="TargetPage"

                                                            type="string"

                                                            required="true"

                                                            />

                                                            <cfset SetLocale("fr_FR") />

                                             

                                                            <cfif IsDefined("Form.logout") or IsDefined("URL.logout")>

                                                                    <cflogout />

                                                            </cfif>

                                                               <cflogin idletimeout="10">

                                                              <!--- <cfinclude template="form.inc" /> --->

                                                               <cfif isDefined("cflogin.name") AND cflogin.name IS NOT "" AND cflogin.password IS NOT "">

                                                                     <!--- login form submitted, with username and password filled in --->

                                                                     <cfloginuser name="#cflogin.name#" Password="#cflogin.password#" roles="role">

                                                                     <cfset Session.id=cflogin.name />

                                                              <cfelseif getAuthUser() IS "">

                                                                      <!--- User not yet logged in --->

                                                                      <cfinclude template="loginForm.cfm">

                                                                      <cfabort>

                                                             </cfif>

                                                            </cflogin>

                                                    <cfif getAuthUser() NEQ "">

                                                        <cfinclude template="logoutForm.cfm">

                                                        <!--- <cfabort> --->

                                                    </cfif>

                                                <cfreturn true />

                                                </cffunction>

                                            </cfcomponent>

                                             

                                            loginform.cfm

                                             

                                            <div>

                                            <form method="post">

                                            <b>login :</b>

                                            <input type="text" name="j_username" size="24" class="champ" />

                                            <b>password :</b>

                                            <input type="password" name="j_password" size="15" class="champ" />

                                            <input type="submit" value="Login" class="button" name="submit" />

                                            </form>

                                            </div>

                                             

                                            logoutform.cfm

                                             

                                            <div>

                                            <form method="Post">

                                            <input type="submit" Name="Logout" value="Logout">

                                            </form>

                                            </div>

                                             

                                            You will observe that, like you, I set the session and cflogin timeout to a low test value, 10 seconds. When I first opened the URL to index.cfm in the browser, the login form was duly displayed. I entered a name and password and submitted the form.

                                             

                                            I got the index.cfm page again. That time it had the logout button and a dump of the session scope. The dump contained an id (my username), confirming that login was still active. When I re-requested index.cfm, repeatedly in the browser, within around 4 or 5 seconds, its contents remained unchanged.  I then waited for about 15 to 20 seconds, for the login and session to time out.

                                             

                                            I then repeated the procedure of logging in and re-requesting index.cfm every 4 or 5 seconds. I got the same result: its contents remained unchanged. That is the expected behaviour of cflogin and session.

                                            • 19. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                              silmaril Level 1

                                              I copy/pasted your example, still same result for me. Which release are your using ?

                                               

                                              Server Product ColdFusion
                                              Version 11,0,0,289974 
                                              Tomcat Version 7.0.52.0
                                              Edition Enterprise (Trial)  
                                              Operating System UNIX  
                                              OS Version 3.2.0-4-amd64  
                                              Adobe Driver Version 5.1.1 (Build 0001)  
                                              JVM Details
                                              Java Version 1.7.0_55  
                                              Java Vendor Oracle Corporation  
                                              Java Vendor URL http://java.oracle.com/
                                              Java Home /opt/coldfusion11/jre  
                                              • 20. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                BKBK Adobe Community Professional & MVP

                                                Mine settings are:

                                                 

                                                Version:  11,0,0,289822 

                                                Tomcat Version:  7.0.52.0 

                                                Edition:  Developer   

                                                Operating System:  Windows 7   

                                                OS Version:  6.1   

                                                Adobe Driver Version:  5.1.1 (Build 0001)   

                                                JVM Details 

                                                Java Version:  1.7.0_51   

                                                Java Vendor:  Oracle Corporation   

                                                Java Vendor URL:  http://java.oracle.com/ 

                                                Java Home:  C:\ColdFusion11\jre   

                                                • 21. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                  BKBK Adobe Community Professional & MVP

                                                  You will be relieved to hear, I have been able to reproduce the issue. However, only at random. I am now looking for a pattern.

                                                  • 22. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                    BKBK Adobe Community Professional & MVP

                                                    For the time being, does it help when you replace the first tag of your login form with:

                                                     

                                                    <cfoutput><form method="post" action="#cgi.SCRIPT_NAME#"></cfoutput>

                                                    • 23. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                      silmaril Level 1

                                                      > You will be relieved to hear, I have been able to reproduce the issue. However, only at random. I am now looking for a pattern.

                                                       

                                                      Strange, it's very consistent on my side.

                                                      I will try installing on a windows host like yours.

                                                       

                                                      > For the time being, does it help when you replace the first tag of your login form with:

                                                       

                                                      Noope, absolutly not.

                                                      The only thing that does help is the loginStorage=Cookie mode.

                                                      • 24. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                        silmaril Level 1

                                                        I can reproduce it on a brand new CF11 dev edition on windows 8.1

                                                         

                                                        Server Details
                                                        Server Product ColdFusion
                                                        Version 11,0,0,289974 
                                                        Tomcat Version 7.0.52.0
                                                        Edition Enterprise (Trial)  
                                                        Operating System Windows 8  
                                                        OS Version 6.2  
                                                        Adobe Driver Version 5.1.1 (Build 0001)  
                                                        JVM Details
                                                        Java Version 1.7.0_55  
                                                        Java Vendor Oracle Corporation  
                                                        • 25. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                          BKBK Adobe Community Professional & MVP

                                                          Silmaril,

                                                          I am investigating this further. There seems to be more to it.

                                                          • 26. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                            BKBK Adobe Community Professional & MVP

                                                            I have discovered the cause of the issue. When I examined the logs, I found that the tests I performed generated many errors in coldfusion-out.log and security.log. The error message was "An error occurred while fetching element from authcache".

                                                             

                                                            Looking further, I found that what you and I observed was in fact the expected behaviour. It is all due to the new security enhancements since Coldfusion 10. If you follow this link, you will read:

                                                             

                                                            "Now you can have only one active session open for one user for a given application that uses the cflogin tag."


                                                            This tells you that, from Coldfusion 10 onwards, cflogin can only store one username-password set per session. So, imagine that the session is still active, and the current login has just timed out. When you now attempt a second login, comprising a username-password pair distinct from the first, Coldfusion will log you out.

                                                             

                                                            This gives me a clue as to why it was difficult for me to reproduce the issue. I kept using the same username-password pair, which is allowed by the security enhancements. According to this hypothesis, you could readily reproduce the issue because you tested with varying login credentials.  




                                                             

                                                            • 27. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                              silmaril Level 1

                                                              I do see the error fetching from authcache but i do use the same login/password on the tests sequences, and also on our production application we don't have any other choice that using the same login/password.

                                                               

                                                              However i did one check, as i said before CF11 has added the tag "allowConcurrent" to tweak the multi-login problem, and if i switch to 'allowConcurrent="false"' which seem to be the previous comportement from CF10 then if the session timeout before the login there is no problem.

                                                               

                                                              If i change it back to the default "allowConcurrent='true'" then it start failing again.

                                                               

                                                              Also the authcache errors doesn't seem to be 100% related to the failure since the message doesn't happen all the time

                                                              • 28. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                BKBK Adobe Community Professional & MVP

                                                                I also used cflogin's default value of allowConcurrent=true, by omission. To synchronize with you, the rest of my test procedures and files were as follows.

                                                                 

                                                                I commented out the cfsetting tag, and switched on debugging in the Coldfusion Administrator. I also removed the cfabort tag after <cfinclude template="loginForm.cfm"> to enable onRequestStart to return.

                                                                 

                                                                index.cfm

                                                                 

                                                                We are in index.cfm<br>

                                                                getAuthUser(): <cfoutput>#getAuthUser()#</cfoutput><br>

                                                                <cfdump var="#session#">

                                                                 

                                                                Application.cfc

                                                                 

                                                                <cfcomponent>

                                                                <!--- Define the application settings. --->

                                                                <cfset this.name = hash(getCurrentTemplatePath()) />

                                                                <cfset this.applicationTimeout = createTimeSpan(1,0,0,0) />

                                                                <cfset this.sessionTimeout = createTimeSpan(0,0,0,30) /><!--- timeout = 30 seconds--->

                                                                 

                                                                <!--- Set up the application. --->

                                                                <cfset THIS.SessionManagement = true />

                                                                <cfset THIS.ClientManagement = false />

                                                                <cfset THIS.SetClientCookies = true />

                                                                <cfset THIS.loginStorage = "Session" />

                                                                <!--- <cfset THIS.clientStorage = "sidys" /> --->

                                                                <!--- Define the request settings. --->

                                                                <!--- <cfsetting showdebugoutput="false" /> --->

                                                                 

                                                                <cffunction

                                                                                name="OnRequestStart"

                                                                                access="public"

                                                                                returntype="boolean"

                                                                                output="true"

                                                                                hint="Fires at first part of page processing.">

                                                                                <!--- Define arguments. --->

                                                                                <cfargument

                                                                                name="TargetPage"

                                                                                type="string"

                                                                                required="true"

                                                                                />

                                                                 

                                                                              <cfset SetLocale("fr_FR") />

                                                                 

                                                                                <cfif IsDefined("Form.logout") or IsDefined("URL.logout")>

                                                                                        <cflogout />

                                                                                </cfif>

                                                                                   <cflogin idletimeout="20"><!--- timeout = 20 seconds--->

                                                                                  <!--- <cfinclude template="form.inc" /> --->

                                                                                   <cfif isDefined("cflogin.name") AND cflogin.name IS NOT "" AND cflogin.password IS NOT "">

                                                                                         <!--- login form submitted, with username and password filled in --->

                                                                                         <cfloginuser name="#cflogin.name#" Password="#cflogin.password#" roles="role">

                                                                                         <cfset Session.id=cflogin.name />

                                                                                  <cfelseif getAuthUser() IS "">

                                                                                          <!--- User not yet logged in --->

                                                                                          <cfinclude template="loginForm.cfm">

                                                                                 </cfif>

                                                                                </cflogin>

                                                                        <cfif getAuthUser() NEQ "">

                                                                            <cfinclude template="logoutForm.cfm">

                                                                        </cfif>

                                                                    <cfreturn true />

                                                                    </cffunction>

                                                                </cfcomponent>  

                                                                 

                                                                loginForm.cfm

                                                                 

                                                                <div>

                                                                <form method="post">

                                                                <b>login :</b>

                                                                <input type="text" name="j_username" size="24" class="champ" />

                                                                <b>password :</b>

                                                                <input type="password" name="j_password" size="15" class="champ" />

                                                                <input type="submit" value="Login" class="button" name="submit" />

                                                                </form>

                                                                </div>

                                                                 

                                                                logoutForm.cfm

                                                                 

                                                                <div>

                                                                <form method="Post">

                                                                <input type="submit" Name="Logout" value="Logout">

                                                                </form>

                                                                </div>

                                                                • 29. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                  silmaril Level 1

                                                                  Hi,

                                                                   

                                                                  I think the main difference is that your cflogin.idleTimeout is less that the sessionTimeout, to make it really reproducable you need to have it greater than or equal to the sessionTimeout.

                                                                   

                                                                  Well it also happens in this case (idleTimeout < sessionTimeout) for me but ...

                                                                   

                                                                  In this case i also regularly see another weird comportement: If i got back on the back after the idleTimeout but before the sessionTimeout the <cflogin> part is triggered again and the previous login+password are automatically injected into the cflogin Structure. (i putted <cfif isDefined("cflogin")><cfdump var="#cflogin#" label="cflogin"></cfif> into the <cflogin> block.

                                                                  • 30. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                    BKBK Adobe Community Professional & MVP

                                                                    silmaril wrote:

                                                                     

                                                                    I think the main difference is that your cflogin.idleTimeout is less that the sessionTimeout, to make it really reproducable you need to have it greater than or equal to the sessionTimeout.

                                                                    I deliberately chose to test with cflogin.idleTimeout <= sessionTimeout. I consider the alternative unrealistic. A use case which requires a login to still be active, while the session storing it has already timed out, is improbable.

                                                                     

                                                                    Well it also happens in this case (idleTimeout < sessionTimeout) for me but ...

                                                                     

                                                                    In this case i also regularly see another weird comportement: If i got back on the back after the idleTimeout but before the sessionTimeout the <cflogin> part is triggered again and the previous login+password are automatically injected into the cflogin Structure.

                                                                    Oh dear. I will look into that, too.

                                                                    • 31. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                      silmaril Level 1

                                                                      I deliberately chose to test with cflogin.idleTimeout <= sessionTimeout. I consider the alternative unrealistic. A use case which requires a login to still be active, while the session storing it has already timed out, is improbable.

                                                                      I concur, having idleTimeout > sessionTimeout isn't really usefull, having it equal (which is my usecase) however seems more likely

                                                                      • 32. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                        silmaril Level 1

                                                                        Well, apparently using loginStorage="Cookie" isn't really better, just less likely to trigger a bug apparently.

                                                                         

                                                                        However it also trigger a new one, with very few details, just a stack trace and a context matching the <cflogin> tag (but named CFAUTHENTICATE)

                                                                         

                                                                        java.lang.NullPointerException at java.util.Hashtable.put(Unknown Source) at coldfusion.runtime.SecurityScopeTracker.setSecurity(SecurityScopeTracker.java:277) at coldfusion.runtime.SecurityScopeTracker.getSecurity(SecurityScopeTracker.java:125) at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:192) at cfApplication2ecfc1163109273$funcONREQUESTSTART.runFunction(/var/www/sidysv2/Application. cfc:99) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:487) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:420) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:383) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:334) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:231) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:643) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:432) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:402) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:108) at coldfusion.runtime.AppEventInvoker.onRequestStart(AppEventInvoker.java:278) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:455) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:42) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:141) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:78) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:2 8) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:58) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:219) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42 ) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:422) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:198) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav a:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)

                                                                        • 33. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                          BKBK Adobe Community Professional & MVP

                                                                          silmaril wrote:

                                                                           

                                                                          Well it also happens in this case (idleTimeout < sessionTimeout) for me but ...

                                                                           

                                                                          In this case i also regularly see another weird comportement: If i got back on the back after the idleTimeout but before the sessionTimeout the <cflogin> part is triggered again and the previous login+password are automatically injected into the cflogin Structure.

                                                                          I have been unable to reproduce that.  The test code I use is the last set I posted on August 18.

                                                                           

                                                                          Well, apparently using loginStorage="Cookie" isn't really better, just less likely to trigger a bug apparently.

                                                                           

                                                                          However it also trigger a new one, with very few details, just a stack trace and a context matching the <cflogin> tag (but named CFAUTHENTICATE)

                                                                          I was unable to reproduce that, too. Coldfusion says there is an error at line 99 of /var/www/sidysv2/Application. cfc. Could you show us that line?

                                                                          • 34. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                            silmaril Level 1

                                                                            Sorry, i missed your reply,

                                                                             

                                                                            I haven't had the CFAUTHENTICATE error for a while, i think because of one of the recent patches and the Application.cfc has changed a bit since there ....

                                                                             

                                                                            However the "double login" situation is still very "present", but less with Cookie storage than Session storage, still don't know why.

                                                                            As for the "automatic relogin", i'm still able to capture this sometime, for example with loginStorage=Session and when i request a

                                                                            page near the sessionTimeout, but it's not everytime.

                                                                             

                                                                            Here is my test files:

                                                                            http://vds.plessis.info/cf11/test.zip

                                                                            • 36. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                              itisdesign Most Valuable Participant

                                                                              Hi Benoit,

                                                                               

                                                                              I believe 3732198 resolved the java.lang.NullPointerException in CF10 Update 14.  I've added the following comment to 3839458:

                                                                               

                                                                              -----------

                                                                              Another workaround is duplicate the <cflogin>/cflogin(). Example:

                                                                               

                                                                              <cflogin ..>

                                                                              <cflogin ..>

                                                                               

                                                                              When both have allowconcurrent=true (the default), then both will run. isUserLoggedIn() returns YES after the 1st, but the 1st login actually fails. The 2nd runs and logs in correctly.

                                                                               

                                                                              Repro attached as Application.cfc

                                                                               

                                                                              When THIS.loginStorage="cookie", then the issue does not reoccur if an old cfauthorization cookie is still present.

                                                                              -----------

                                                                               

                                                                              Thanks!,

                                                                              -Aaron

                                                                              • 37. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                                CCPSWebmaster

                                                                                I am having the same issue, but I noticed something very strange...

                                                                                Here is my Application.cfc

                                                                                 

                                                                                <cfcomponent>

                                                                                     <cfset This.name = "WebsiteCMS">

                                                                                     <cfset This.applicationTimeout = "#createTimeSpan(5,0,0,0)#">

                                                                                     <cfset This.datasource = "CMS">

                                                                                     <cfset This.loginStorage = "session">

                                                                                     <cfset This.Sessionmanagement = true>

                                                                                     <cfset This.Sessiontimeout = "#createTimeSpan(0,0,0,10)#">

                                                                                     <cfset This.mappings["/www"] = getDirectoryFromPath(getCurrentTemplatePath())>

                                                                                     <!--- Application Starts --->

                                                                                     <cffunction name="onApplicationStart">

                                                                                          <cfset APPLICATION.DOMAIN = "http://localhost/website/">

                                                                                          <cfset APPLICATION.DIRECTORY = "C:\inetpub\wwwroot\website\">

                                                                                     </cffunction>

                                                                                     <!--- A Page Request is made --->

                                                                                     <cffunction name="onRequestStart" access="public">

                                                                                          <cfargument type="string" name="targetPage" required="true">

                                                                                          <cflogin idletimeout="#createTimeSpan(0,0,0,10)#">

                                                                                               <cfif IsDefined("CFLOGIN.name") and Len(Trim(CFLOGIN.name)) and Len(Trim(CFLOGIN.password))>

                                                                                                    <!--- Check if User has Access --->

                                                                                                    <cfif CFLOGIN.name is "USERWITHACCESS">

                                                                                                         <!--- Check if User Exists --->

                                                                                                         <cftry>

                                                                                                              //////////////////////////  LDAP Minified for obvious reasons //////////////////////////////

                                                                                                              <cfldap action="query"

                                                                                                                   name="CheckIfUser"

                                                                                                              >

                                                                                                              <cfcatch type="any">

                                                                                                                   <cfset LoginMessage = "Username or Password Incorrect">

                                                                                                              </cfcatch>

                                                                                                         </cftry>

                                                                                                         <cfif CheckIfUser.recordCount gt 0>

                                                                                                              <!--- If User Exists and HAS Access --->

                                                                                                              <!--- Authenticate user to check password --->

                                                                                                              <cftry>

                                                                                                                   ///////////////////////////// LDAP Minified for obvious reasons //////////////////////////////

                                                                                                                   <cfldap action="query"

                                                                                                                        name="AuthenticateUser"

                                                                                                                   >

                                                                                                                   <cfset LoginMessage = "Success">

                                                                                                                   <cfcatch type="any">

                                                                                                                        <cfset LoginMessage = "Username or Password Incorrect">

                                                                                                                   </cfcatch>

                                                                                                              </cftry>

                                                                                                         </cfif>

                                                                                                         <!--- If User authentication succeeded --->

                                                                                                         <cfif LoginMessage is "Success">

                                                                                                              <cfloginuser name="#CFLOGIN.name##createUUID()#" password="password" roles="user">

                                                                                                         <cfelse>

                                                                                                              <cfinclude template="loginForm.cfm"><cfabort>

                                                                                                         </cfif>

                                                                                                    <cfelse>

                                                                                                         <!--- User Does NOT have access --->

                                                                                                         <cfset LoginMessage = "You do not have access to this System">

                                                                                                         <cfinclude template="loginForm.cfm"><cfabort>

                                                                                                    </cfif>

                                                                                               <cfelse>

                                                                                                    <!---#### they didn't fill out form, return to the login form. ####--->

                                                                                                    <cfinclude template="loginForm.cfm"><cfabort>

                                                                                               </cfif>

                                                                                          </cflogin>

                                                                                     </cffunction>

                                                                                </cfcomponent>

                                                                                 

                                                                                 

                                                                                Please take note of the <cfloginuser> line:

                                                                                <cfloginuser name="#CFLOGIN.name##createUUID()#" password="password" roles="user">


                                                                                I was attempting to force each login to be unique to see if it was a SESSION causing the issue.


                                                                                I login and refresh the page a couple of times, but then something interesting happened.


                                                                                I was greated with the login screen with the error message:

                                                                                "You do not have access to this System"


                                                                                What this means is that for some reason the CFLOGIN.name and CFLOGIN.password fields were resent to the server. However because this message came up that means the userID was NOT "USERWITHACCESS"


                                                                                So to test my theory I modified the alert message:

                                                                                <cfset LoginMessage = "You do not have access to this System " & CFLOGIN.name>


                                                                                SURE ENOUGH this is what I got:

                                                                                You do not have access to this System USERWITHACCESS17E0C4A160-EAEB-5C23-FDF8DB569F65D3C2


                                                                                What this means is the <cfloginuser> tag is resubmitting the CFLOGIN variables.

                                                                                So I logged in again, and started refeshing the page to keep the <cflogin> timeout from firing.

                                                                                I Timed it. I get that error at Exactly 10 Seconds after I log in which is the Timeout I have set for the SESSION Variables.

                                                                                 

                                                                                It seems like when the SESSION variable times out but the <cflogin> has not coldfusion resubmits the Login information that was stored in the <cfloginuser> tag. However the User is retaining the OLD Session ID instead of being re-assigned to the new ID.

                                                                                 

                                                                                 

                                                                                Can anyone else verify my logic?

                                                                                 

                                                                                 

                                                                                 

                                                                                Also the only reason I have the <cfif CFLOGIN.name is "USERWITHACCESS"> in there is because of a last minute "Hey we only want these people to have access!" And we have yet to create the Group on our AD server (to check with LDAP) So it was quickly thrown in there. Which luckily caused me to notice this!

                                                                                • 38. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                                  CCPSWebmaster Level 1

                                                                                  Other than in my example above:

                                                                                  <cfloginuser name="#CFLOGIN.name##createUUID()#" password="#CFLOGIN.password#" roles="ROLES">


                                                                                  Should fix the Double Login Issue. Although I am not sure if it creates any other issues.

                                                                                  • 39. Re: CF11 : cflogin doesn't "stuck" after session/login timeout
                                                                                    Perkley Level 1

                                                                                    I hope this is resolved soon, I have several sites that started requiring you to log in twice at random due to upgrading to CF11.  I have Update 7.  I really don't want to have to go modify the code if it is just an update fix.

                                                                                    1 2 Previous Next