Skip to main content
T
tikadog
Participant
August 28, 2008
Answered

CFLOGIN not maintaining cfauthrization session variable

  • August 28, 2008
  • 3 replies
  • 935 views
I have a simple CF web site where all of the .cfm is in the same directory. I can not use client cookies as the people I am writing this for have cookies turned off in IE, therefore I am using J2EE session variables and CFLOGIN in an application.cfm file (code attached) for authentication. Everything works correctly during login and I can see the encrypted username/password as the cfauthorization session variable....
Session Variables:
cfauthorization=Y3BkYWRtaW46cmVwb3J0ODQzOmNwZA==
sessionid=c23059df643c42544069
urltoken=CFID=783&CFTOKEN=91556252&jsessionid=c23059df643c42544069

Once I try to browse to another cfm page on the site, I get booted back to the index.cfm login page. After some digging I figure out that the cfauthorization variable was blank after I click on the link, which as I understand it indicates that I am not logged in and the
<cfif not IsDefined("cflogin")>
<cfinclude template="index.cfm">
<cfabort>
code in the application.cfm sends me back to the login page.

I have confirmed that using valid credentials causes <cfif cpdauth.recordcount GT "0"> to return true.

Any idea as to why my session authorization is not being maintained between pages? Or if I am completely off base as to the reason this is happening.....and if so, what am I doing wrong.

Thanks
Greg
    This topic has been closed for replies.
    Correct answer BKBK
    Your login code seems to be fine. You yourself are already aware that you have to have a way to pass-the-baton between requests, to maintain a session.

    The usual way Coldfusion maintains sessions is to send CFID and CFTOKEN cookies to the client browser. That happens automatically under the hood, assuming you haven't switched setClientCookies off.

    For session management by means of cookies, I would use a cfapplication tag like

    <cfapplication name = "cpd"
    applicationTimeout = "#createTimespan(1,0,0,0)#"
    sessionManagement = "yes"
    clientManagement = "yes"
    sessionTimeout = "#createTimeSpan(0,0,20,0)#"
    setClientCookies = "true"
    scriptprotect="all"
    loginstorage="Session">

    However, all of that assumes that the client browser accepts cookies. Where it doesn't, the usual way to maintain sessions is to pass CFID and CFTOKEN values in the URL of every request. In fact, the function that Bluetone suggests, URLSessionFormat, makes the process efficient. It instructs Coldfusion to append CFID and CFTOKEN to the URL only when the client doesn't accept cookies. Which means Coldfusion would still be using cookies wherever possible. Some examples

    <a href="#URLSessionFormat('orders.cfm')#">My orders</a>

    <cfform method="Post" action="#URLSessionFormat("MyActionPage.cfm")#">
    </cfform>

    <cflocation url = "products.cfm" addToken = "yes">




    3 replies

    T
    tikadogAuthor
    Participant
    August 29, 2008
    Thanks, URLsessionformat worked like a charm.
    BKBK
    Community Expert
    BKBKCommunity ExpertCorrect answer
    Community Expert
    August 29, 2008
    Your login code seems to be fine. You yourself are already aware that you have to have a way to pass-the-baton between requests, to maintain a session.

    The usual way Coldfusion maintains sessions is to send CFID and CFTOKEN cookies to the client browser. That happens automatically under the hood, assuming you haven't switched setClientCookies off.

    For session management by means of cookies, I would use a cfapplication tag like

    <cfapplication name = "cpd"
    applicationTimeout = "#createTimespan(1,0,0,0)#"
    sessionManagement = "yes"
    clientManagement = "yes"
    sessionTimeout = "#createTimeSpan(0,0,20,0)#"
    setClientCookies = "true"
    scriptprotect="all"
    loginstorage="Session">

    However, all of that assumes that the client browser accepts cookies. Where it doesn't, the usual way to maintain sessions is to pass CFID and CFTOKEN values in the URL of every request. In fact, the function that Bluetone suggests, URLSessionFormat, makes the process efficient. It instructs Coldfusion to append CFID and CFTOKEN to the URL only when the client doesn't accept cookies. Which means Coldfusion would still be using cookies wherever possible. Some examples

    <a href="#URLSessionFormat('orders.cfm')#">My orders</a>

    <cfform method="Post" action="#URLSessionFormat("MyActionPage.cfm")#">
    </cfform>

    <cflocation url = "products.cfm" addToken = "yes">




    A
    aglaun
    Participating Frequently
    July 8, 2021

    I know this is an old post. Does this mean I will need to use URLSessionFormat on all links?

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    July 8, 2021

    Whether "you need" it or  not depends on your scenario and how close it is to the op's. If you mean you are trying to support sessions (or cflogin with loginstorage="session"), where your client browsers don't support cookies, then yes you need to pass the session ID on the querystring of requests made to your server--and yes, urlsessionformat is the most effective way to do that, as it incorporates some intelligence about the values it creates.

     

    If you want to clarify more, we could then respond more directly. 

    /Charlie (troubleshooter, carehart. org)
    C
    CTek-Media_com
    Known Participant
    August 29, 2008
    Without cookies you have to track state via the URL. Google URLSessionFormat for more details.

    There are security issues here so you might need to encrypt the session ID etc.

    Cheers!
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices