ColdFusion 10 Application Based User Authentication is Broken

I have deployed two test sites, using Adobe's own example code for application based user security, copied in its entirety from the Adobe website. One test site is in ColdFusion 8, one is ColdFusion 10. The code and databases are identical on both sites. I added cfdump output to monitor session variables and login status as they are set.

Test Site ColdFusion 8: http://cf8loginadobe.cimhost.com/securitytest.cfm

Test Site ColdFusion 10: http://cf10loginadobe.cimhost.com/securitytest.cfm

Logging in using a user of "Bob" and password of "secret" demonstrates the failure in CF10. Initially it appears login was successful, but note that the cfdump of the session does not show a cfauthorization_orders value in CF10, where in CF8 the value is present.

In CF8 subsequent visits to the same URL after login correctly retain the logged in user status and do not present the login form. In CF10, no session was actually created for the user, and therefore subsequent visits to the same URL prompt for login again.

I have tested this thoroughly, including bypassing the cflogin logic and forcing cfloginuser, which successfully creates an authenticated user in CF10, demonstrating that cfloginuser is supported.

It appears to me there is something about CF10's handling of the OnRequestStart function in Application.cfc that creates and then immediately kills the user session.

Workaround: The inelegant workaround I am using involves re-creating the cfloginuser session instantiation in a subsequent OnRequest function in Application.cfc. The code is as follows:

<cffunction name="onRequest">

<cfargument name = "targetPage" type="String" required=true/>

<cfinclude template=#Arguments.targetPage#>

<cfif IsDefined("loginQuery")>

  <cfif loginQuery.userroles NEQ "">

    <cflogin><cfloginuser name="#loginQuery.username#" Password = "#loginQuery.userpass#" roles="#loginQuery.userroles#"></cflogin>

  </cfif>

</cfif>

</cffunction>

If there was an attempt to login in the OnRequestStart, I leverage the results of that request, check if it was valid (loginQuery.userroles NEQ ""), and then instantiate the authenticated session. There is a downside in that users have to click to a new page for logged in options to appear. The GetAuthUser() test is not met until another page load is requested.

Extensive testing of alternatives within Application.cfc did not reveal any alternative to this approach. Adobe and the community's failure to respond to repeated posts about this demonstrable bug or defect prove that ColdFusion is a zombie technology, like many Adobe has acquired. Sad.