In CF10, my login was not working properly as it was in CF9. Session variables I set were 'unset' every time a new page was called, as well as the GetAuthUser. To troubleshoot the problem, I found some unexpected behavioral change from CF9. In case it's pertinent, I am using ORM. In my application.cfc, I had: this.sessionManagement = "true"; this.sessionTimeout = CreateTimeSpan(0,0,30,0); this.loginStorage = "Session"; this.setClientCookies = false; In the onSessionStart function, I had: <cfset Session.isLoggedIn = 0/> <cfset Session.username = ""/> <cfset Session.email = ""/> <cfset Session.termsAccept = 0/> In the onRequestStart function, I had: <cfif Session.isLoggedIn eq 0> <cfif FindNoCase("Login",requestedPage) eq 0 and FindNoCase("Index",requestedPage) eq 0> <cfinclude template="userInterface/session/login/Login-V.cfm"> </cfif> </cfif> Even after a valid login, I always got the login page. Dumping the Session variables, they were always set to Application.cfc values at the beginning, and always set to the correct values from Login at the end. Login-V.cfm posts to Login-CM.cfm, which after validating the user credentials has the code: <cflock scope="Session" timeout="20" type="Exclusive"> <cfset Session.isLoggedIn = 1/> <cfset Session.username = "#appUserObj.getUsername()#"/> <cfset Session.email = "#appUserObj.getEmail()#"/> <cfset Session.termsAccept = "#appUserObj.getTermsAccept()#"/> </cflock> <cflogin> <cfloginuser name = "#appUserObj.getUsername()#" password = "#appUserObj.getPassword()#" roles= "#appUserObj.getUserAccessData().getRoles()#"/> </cflogin> So, I changed onRequestStart to just dump the session variables. Going into the Login-V.cfm initially, the onRequestStart dump gave me this: email [empty string] isloggedin 0 sessionid SPNEW2_3477_95978872 termsaccept 0 username [empty string] After a successful post to Login-CM.cfm, setting session variables and cfloginuser, a session dump gave me this: email testing@meltech.com isloggedin 1 sessionid SPNEW2_3477_95978872 termsaccept 1 username testing and getAuthUser() = testing I do a cflocation to userInerface/portal/Portal-V.cfm Going into that, the onRequestStart dump gave me this: email [empty string] isloggedin 0 sessionid SPNEW2_3479_18042427 termsaccept 0 username [empty string] A completely different session! I finally was able to work around the problem by changing the Application.cfc to this.loginStorage = "cookie"; Sessions were maintained. What's up with this? I don't recall seeing anything in the CF10 security release notes about sessions changing with request pages when you use session for login storage? This is problematic for me, as I don't want to use cookies! Any ideas? Edited - Also, the onSessionStart where I increment the sessions appears to be Request Based, rather than session based onSessionStart also has <cflock scope="Application" throwontimeout="yes" timeout="7" type="Exclusive"> <cfset Application.currentsessions = Application.currentsessions + 1> </cflock> So, I start with currentsessions = 0 (new application start) After the login-V,login-CM and portal-V, I have currentsessions = 3 instead of 1. I am completely confused now as to when these events are firing
... View more