4 Replies Latest reply on Sep 1, 2008 11:51 PM by QueryDawg

    cflogin and different browsers

      I have searched this forum and the internet high and low and can not for the life of me find this answer, so any CF guru who has seen this, please let me know what you've found.

      I have built a simple application security framework using cflogin, cfloginuser, j_username, j_password, etc.
      This works fine in any browser of choice (I personally test on IE, FF, Opera, NN and Safari on Windows).

      The problem arises when I try to login to another browser. If I log in on FF, then it works fine, but the minute I login to IE at the same time, it skips cflogin code, thus trying to process other code it shouldn't be able to get to. Now if I log out of FF, then it works fine in IE. It's the same way for any other browser combination (or all of them). I can only be logged into 1 browser at a time.

      Another weird anomaly, is that it seems like it's skipping what is in the cflogin tag...but if I login with bogus credentials, it processes the cflogin code and brings back that I am using bad credentials.

      So to reiterate...
      1. I can only login to 1 browser at a time
      2. It skips cflogin if the credentials are good.
      3. It processes cflogin if the credentials are bad.

      Here is my code (some things changed for security and non-disclosure reasons)



      <!--- --->
      this.name = 'myApp';
      this.sessionManagement = true;
      this.sessionTimeout = CreateTimeSpan(0,1,0,0);
      this.sessionStorage = 'cookie';
      this.applicationTimeout = CreateTimeSpan(0,1,0,0);
      this.loginStorage = 'session';
      this.setClientCookies = true;

      request.dsn = 'myDbName';
      request.cfc = 'www.inc.cfc';

      <!--- On Request Start --->
      <cffunction name="onRequestStart">
      <!--- Functions to run when user in Admin section --->
      <cfif GetBaseTemplatePath() CONTAINS "\admin\">
      <!--- check for user login --->
      <cflogin idletimeout="3600">
      <cfif NOT IsDefined("cflogin")>
      <cfinclude template="admin/login.cfm">

      <!--- check for user --->
      <cfquery name="getUser" datasource="#request.dsn#">
      SELECT *
      FROM users
      WHERE userStatus = 1
      AND userUsername = '#cflogin.name#'
      AND userPassword = '#cflogin.password#'
      <!--- login or boot --->
      <cfif getUser.recordCount IS 1>
      <cfif ISDefined('form.changePW')>
      args = StructNew();
      args.username = '#cflogin.name#';
      args.password = '#cflogin.password#';
      args.newPass = '#form.newPass#';
      <cfinvoke component="#request.cfc#.userAdmin" method="pw" argumentcollection="#args#" returnvariable="vars.success"></cfinvoke>
      <cfif vars.success IS false><cflocation url="#cgi.script_name#?msg=2" addtoken="no"><cfelse><cfset url.msg = 3></cfif>
      <cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="#ValueList(getUser.userGroup)#" />
      <cflocation url="#request.adminRoot#/index.cfm?msg=1" addtoken="no">

      <!--- get permissions for user --->
      <cfquery name="getUserPerms" datasource="#request.dsn#">
      SELECT p.*, r.*, pg.*, ug.*
      FROM permissions AS p
      INNER JOIN rights AS r ON r.rtsCode = p.permRightsID
      INNER JOIN pages AS pg ON pg.pageID = p.permPageID
      INNER JOIN userGroups AS ug ON ug.ugrpID = p.permGroupID
      WHERE ug.ugrpID IN ('#getUser.userGroup#')
      AND r.rtsStatus = 1
      AND pg.pageStatus = 1
      AND ug.ugrpStatus = 1
      ORDER BY pageFile

      <!--- Set user session variables and go to homepage --->
      <cflock scope="session" timeout="10">
      session.user = StructNew();
      session.user.loggedIn = true;
      session.user.username = '#cflogin.name#';
      session.user.userFirstName = '#getUser.userFirstName#';
      session.user.userLastName = '#getUser.userLastName#';
      session.user.userAccount = '#getUser.userAccount#';
      session.user.userGroup = '#getUser.userGroup#';
      session.user.rights = StructNew();
      if(getUserPerms.recordCount IS NOT 0){
      session.user.ugrpGroupAssign = '#getUserPerms.ugrpGroupAssign#';
      for(p=1; p LTE getUserPerms.recordCount; p=p+1){
      SetVariable("session.user.rights.#getUserPerms.pageCode[p]#.access", "#getUserPerms.permRightsID[p]#");

      <!--- Check users rights on this page --->
      <cfset request.pageArray = ListToArray(GetBaseTemplatePath(), '\')>
      <cfset vars.pageArray = request.pageArray>
      <cfif ISDefined('session.user.rights')>
      <cfset vars.accessVar = "session.user.rights.#ListFirst(vars.pageArray[ArrayLen(vars.pageArray)], '.')#.access">
      <cflock scope="session" timeout="10">
      <cfif ISDefined(vars.accessVar)>
      <cfset session.user.thisPageAccess = "#Evaluate(vars.accessVar)#">
      <cfset session.user.thisPageAccess = "n">

      <cfif NOT ListFindNoCase('login.cfm,logout.cfm',vars.pageArray[ArrayLen(vars.pageArray)])>
      <cfif session.user.thisPageAccess IS 'n'>
      <cflocation url="#request.adminRoot#" addtoken="no">


      Any ideas?

        • 1. Re: cflogin and different browsers
          Michael Level 1
          Dump your session and cookie scopes and see if the cfid/cftoken or jsessionid cookies are the same in each browser. If they are the same, which is unlikley, then there is a problem with CF's session management.

          These cookies are used to identify an individual session within CF's realm.
          • 2. Re: cflogin and different browsers
            angelseyeinc Level 1
            Dumped those variable scopes and they are different. However the cfauthorization variable in the session scope is the same. I think I read it's an encrypted version of like the username, application, etc so it makes sense it would be the same.

            I did some additional testing and found out that across 2 computers (same or different browsers), it won't work either. It's allowing the login on both computers, but because when I login on the 2nd computer, it won't run the cflogin tag again to actually authorize the username and password because it thinks I'm already logged in...therefore session variables that are set upon login...don't get set.

            I did read that if you don't specify "this.loginStorage", it defaults to the server's memory, and that would make sense that it wouldn't work, but you can clearly see I have set a login storage location that is not the server.

            The only common denominator in all this is the server so somehow, the server is storing login information and not allowing me to login on computer 2 until I logout of computer 1.

            • 3. Re: cflogin and different browsers
              Michael Level 1
              Well, that is quite interesting. First, make sure you have var'ed all of your function-local variables.

              Are you behind a firewall that may be sharing your session cookies with all computers? Dump out the CGI scope and see if the information is different/same on those two computers.
              • 4. Re: cflogin and different browsers
                Wow, this is over a year old so perhaps this is no longer an issue. Also, I have done absolutely NO testing of this myself so perhaps I'm completely off base here, but you mentioned you get this issue with IE and FF. Is that the only two browser where you see this problem? Or will it also with with FF and NN, Opera and Safari, etc.... Perhaps you can isolate this down to a specific set of browers. I know you can set FF to use IE cookies so perhaps that is your problem???