Skip to main content
J
jfb00
Inspiring
November 26, 2024
Question

Issue with cfauthentication

  • November 26, 2024
  • 2 replies
  • 2380 views

Good morning,

We used CF2021 and we installed the lates update 17. Started having issues with our login system in one box losing the cfathentication session var.

I created a test login to trace the issue in the same box, because in other box works fine. The security team applied some stigs to the box lately and not sure if that is afecting the browser.

When user login the first time the cfauthentication is not showing.

Here is the application.cfc

<cfcomponent	output="false"	hint="I define the application settings and event handlers.">

	<cfscript>
	//Define the application settings.
	this.clientManagement = false;    

	// define the cflogin storage
	this.loginStorage = "session";
	this.name = listLast(getDirectoryFromPath(getCurrentTemplatePath()), "\");
	this.applicationTimeout = createTimeSpan( 0, 0, 0, 10 );
	this.sessionManagement = true;
	this.sessionTimeout = createTimeSpan( 0, 0, 5, 0 );
  this.setClientCookies = true;

	this.secureJSONPrefix = "";

	
  </cfscript>

	<!--- Define the request settings. --->
	<cfsetting showdebugoutput="false"/>

	<cffunction	name="onApplicationStart"	access="public"	returntype="boolean"	output="false" hint="I initialize the application.">

		<cfscript>
			// root and upload folder
			application.root_folder = this.name;
			application.upload_folder = Left(getDirectoryFromPath(getBaseTemplatePath()), FindNoCase('\', getDirectoryFromPath(getBaseTemplatePath()), FindNoCase(application.root_folder, getDirectoryFromPath(getBaseTemplatePath())))) & "UPLOAD_" & uCase(this.name);
			application.absolute_folder = Left(getDirectoryFromPath(getBaseTemplatePath()), FindNoCase('\', getDirectoryFromPath(getBaseTemplatePath()), FindNoCase(application.root_folder, getDirectoryFromPath(getBaseTemplatePath()))));

		</cfscript>
		<!--- Initialize the application settings. --->
		<cfset application.dateInitialized = now() />

		<cfset application.debug = debug />

		<cfset application.sqlRegEx = "<[^>]*>|insert|select|delete|update|create|drop|alter|&|%|" />

		<!--- Return true so that the page can load. --->
		<cfreturn true />
	</cffunction>

	<cffunction name="onApplicationEnd" output="no" returnType="void">
    <cfargument name="applicationScope" required="true" />
  </cffunction>

	<cffunction name="onRequestStart" output="true" returnType="boolean">
		<cfargument name="thePage" type="string" required="true" />

		<cfif NOT isDefined("session.loggedIn")>
				<cfset session.loggedIn = false />
		</cfif>

		<cfreturn true />
  </cffunction>


	<cffunction	name="onSessionStart"	access="public"	returntype="void"	output="false" hint="I initialize the session.">

		<!--- Initialize the session settings. --->
		<cfset session.dateInitialized = now() />
    <cfset session.id = createUuid() />

		
		<cfif NOT isDefined("session.loggedIn")>
			<cfset session.loggedIn = false />
	</cfif>

		<!--- Return out. --->
		<cfreturn />
	</cffunction>


	<cffunction name="onRequest" returnType="void">
    <cfargument name="thePage" type="string" required="true" />

		<!--- <cfset applicationStop() /> --->
		<cflogin applicationtoken="#this.name#" idletimeout="#this.sessionTimeout#">
			<cfif (isDefined("form.j_username") and len(trim(form.j_username)) GT 0 and isDefined("form.j_password") and len(trim(form.j_password)) GT 0)>
				<!--- check for SQL injection and script since log in form is semi-public --->
					<cfset cflogin.name = REReplaceNocase("#trim(cflogin.name)#", application.sqlRegEX, "", "ALL") />
					<cfset cflogin.password = REReplaceNocase("#trim(cflogin.password)#", application.sqlRegEX, "", "ALL") />

					<cfif authenticateUser(cflogin.name, cflogin.password)>		
						<cfset session.loggedIn = true />
						<cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="SUPER USER">

					<cfelse>
							<cfset variables.loginError = "Username and/or Password is Invalid." />
					</cfif> <!--- END IF: authenticateUser() --->
			</cfif>
<!--- <cfset application.debug(session)/><cfabort> --->
			<cfif isDefined("session.loggedIn") AND NOT session.loggedIn>
				<cfinclude template="login.cfm" />
				<cfabort />
			<cfelse>
				<cfinclude template="index.cfm" />
			</cfif>
		</cflogin>

  </cffunction>

	<cffunction name="authenticateUser" output="no" returntype="boolean">
		<cfargument name="userName" required="yes" type="string" />
		<cfargument name="passWord" required="yes" type="string" />

		<cfset var returnValue = FALSE />
		<cfset var qryAuthUser = "" />

		<cfquery name="qryAuthUser" datasource="myDatabase">
				SELECT  *
				FROM    users u
				WHERE   u.user_id = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#trim(arguments.userName)#" />
				AND     u.user_password = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#hash(trim(arguments.passWord))#" />
		</cfquery>
	      
		<cfif qryAuthUser.recordCount eq 1>
				<cfset returnValue = TRUE />
		</cfif>

		<cfreturn returnValue />
	</cffunction>

	<cffunction name="debug" access="public" output="true" returntype="void">
    <cfargument name="input" required="No" default="" />

    <cfset var debugFile = '#application.absolute_folder#debug.cfm' />
    <cfset var debugInfo = "" />

    <cfsavecontent variable="debugInfo">
       <p><strong>DEBUGGING</strong>: <cfoutput> #dateFormat(now(),'mm/dd/yyyy')# #timeFormat(now(), 'HH:mm:ss tt')# </cfoutput><br>
  
      <cfdump var="#arguments.input#" label="custom" format="html">
      <cfdump var="#form#" label="form" format="html">
      <cfdump var="#url#" label="url" format="html">
      <cfdump var="#cgi#" label="cgi" format="html">
      <cfdump var="#application#" label="application" format="html">
    </cfsavecontent>

    <cffile action="WRITE" file="#debugFile#" output="#debugInfo#" />
  </cffunction>

</cfcomponent>

 

And login.cfm

<!DOCTYPE html>
<cfsilent>
    <cfparam name="session.lastLoginDate" default="" type="string">
    <cfparam name="variables.user_id" default="" type="string"> 
    
    <cfparam name="FORM.j_username" type="string" default="" />
    <cfparam name="FORM.j_password" type="string" default="" />
</cfsilent>

<!--- <cfset application.debug(session)/><cfabort>--->

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

    <title><cfoutput>Test Site</cfoutput></title>
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=10, user-scalable=yes">
                
</head>
<body>

    <h1>
        Application Login
    </h1>

    <form action="#CGI.script_name#" method="post">

        <label>
            Username:
            <input type="text" name="j_username" size="20" />
        </label>
        <br />
        <br />

        <label>
            Password:
            <input type="password" name="j_password" size="20" />
        </label>
        <br />
        <br />

        <input type="submit" value="Login" />

    </form>

</body>
</html>

and the Index.cfm

<cfoutput>
<cfset application.debug(session)/>
<cfif isDefined("session.loggedIn") and session.loggedIn >
	<h1>We are in </h1>
</cfif>
 
	<h1>
		Application And Session Overview
	</h1>

	<p>
		Application initialized:
		#dateDiff(
			"s",
			application.dateInitialized,
			now()
			)#
		seconds ago.
	</p>

	<p>
		Session initialized:
		#dateDiff(
			"s",
			session.dateInitialized,
			now()
			)#
		seconds ago.
	</p>

</cfoutput>

The first time I do the login the session var cfathentication is not showing

 

If I refresh the browser the session var shows.

What am I doing wrong? Any ideas?

Thanks in advanced.

Johnny 

 

    This topic has been closed for replies.

    2 replies

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    November 26, 2024

    While someone else may see something more specific for you based on all that code, I'll ask some potentially clarifying questions:

     

    1) What update where you on before applying update 17? That could be important, especially if you had been on u12 or 13, I as updates 13 and 14 had significant changes potentially affecting backward compatibility. You can assess what update you were on previously using the hf-updates folder and its logs. 

     

    And you'd want to check both machines, of course, as that may relate to how they differ for you. 

     

    2) You should check also the Java args for each cf instance, as those updates 13 and 14 also offered new jvm args to optionally revert what the updates had changed. It may be that an arg is on one and not the other.

     

    3) You refer to the first request not having a needed var. I'm assuming you mean the first request AFTER login, right?

     

    4) And you refer to the missing var as cfathentication. Besides that being a typo (no "u"), neither dump shows that. I'll assume you meant to refer instead to the one starting with "cfauthorization".

     

    5) You may want to do more to know the flow of control through the different decision points in the code. That may help you to know how that flow differs on the two instances.

     

    6) Pay particular attention to what comes back from the cfquery. That may differ for reasons you'd not anticipate by just eyeballing the code. 

     

    But again, maybe someone else will see something more helpful for you from the code alone.

    /Charlie (troubleshooter, carehart. org)
    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    November 26, 2024

    Doh! Bkbk's reply came in while I was writing mine (but I didn't see his until after submitting mine). If that gets you going, great. If not, I leave mine here for consideration. 

    /Charlie (troubleshooter, carehart. org)
    J
    jfb00Author
    Inspiring
    November 26, 2024

    I found some difference when I look close in the JVM settings.

    Anything that will affect?

    Thanks

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    November 26, 2024

    Within seconds of reading your post, I saw something that stopped me. It is this code:

     

    	this.applicationTimeout = createTimeSpan( 0, 0, 0, 10 );
	this.sessionTimeout = createTimeSpan( 0, 0, 5, 0 );

     

    This doesn't make sense for at least two reasons:

    1.  An applicationTimeout value of 10 seconds in impractical. It takes my bare-bones ColdFusion application 20 seconds to start.
    2.  The sessionTimeout is larger that the applicationTimeout.

      Suggestion: If your aim is to test with a small timeouts, use 
      this.applicationTimeout = createTimeSpan( 0, 0, 3, 0 );​
this.sessionTimeout = createTimeSpan( 0, 0, 0, 30 );​
      J
      jfb00Author
      Inspiring
      November 26, 2024

      Thanks for your reply and help.

      I missed that, i fixed the code per your suggestion, do applicationStop,  but the behavior still the same.

      Best, Johnny

      BKBK
      Community Expert
      BKBKCommunity Expert
      Community Expert
      November 26, 2024

      Given the login code 

      <cfif (isDefined("form.j_username") and len(trim(form.j_username)) GT 0 and isDefined("form.j_password") and len(trim(form.j_password)) GT 0)>
	<!--- check for SQL injection and script since log in form is semi-public --->
	<cfset cflogin.name = REReplaceNocase("#trim(cflogin.name)#", application.sqlRegEX, "", "ALL") />
	<cfset cflogin.password = REReplaceNocase("#trim(cflogin.password)#", application.sqlRegEX, "", "ALL") />	
	<cfif authenticateUser(cflogin.name, cflogin.password)>		
		<cfset session.loggedIn = true />
		<cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="SUPER USER">
	<cfelse>
		<cfset variables.loginError = "Username and/or Password is Invalid." />
	</cfif> <!--- END IF: authenticateUser() --->
</cfif>

<cfif isDefined("session.loggedIn") AND NOT session.loggedIn>
	<cfinclude template="login.cfm" />
	<cfabort />
<cfelse>
	<cfinclude template="index.cfm" />
</cfif>

       

      here's a suggestion for improvement:

      <cfif (isDefined("form.j_username") and len(trim(form.j_username)) GT 0 and isDefined("form.j_password") and len(trim(form.j_password)) GT 0)>
	<!--- check for SQL injection and script since log in form is semi-public --->
	<cfset cflogin.name = REReplaceNocase("#trim(cflogin.name)#", application.sqlRegEX, "", "ALL") />
	<cfset cflogin.password = REReplaceNocase("#trim(cflogin.password)#", application.sqlRegEX, "", "ALL") />	
	<cfif authenticateUser(cflogin.name, cflogin.password)>		
		<cfset session.loggedIn = true />
		<cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="SUPER USER">
	<cfelse>
		<cflogout>
		<cfset session.loggedIn = false>
		<cfset variables.loginError = "Username and/or Password is Invalid." />
	</cfif> <!--- END IF: authenticateUser() --->
</cfif>

<cfif NOT isDefined("session.loggedIn") OR NOT session.loggedIn>
	<cfinclude template="login.cfm" />
	<cfabort />
<cfelse>
	<cfinclude template="index.cfm" />
</cfif>

       

       

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices