Known Participant

Question

CF11 : cflogin doesn't "stuck" after session/login timeout

Forum|Forum|11 years ago
August 13, 2014
6 replies
6918 views

Hi,

Since migrating from CFMX7 to CF11 we are experiencing some weird failure with cflogin (using session or cookie storage).

Basically when we log-in on the application after a session/client timeout the first login doesn't last for longer than the login submit request.

The second login however is OK

I made a very simple application.cfc/index.cfm with short timeouts to check this:

<cfcomponent

output="false"

hint="I define the application settings and event handlers.">

<cffunction

name="OnRequestStart"

access="public"

returntype="boolean"

output="true"

hint="Fires at first part of page processing.">

<cfargument

name="TargetPage"

type="string"

required="true"

/>

</cfif>

<b>login :</b>

<b>passwordnbsp;:</b>

</form>

</cfoutput>

</cflock>

</cfif>

</cflogin>

</form>

</cfoutput>

</cfif>

</cffunction>

</cfcomponent>

This topic has been closed for replies.

mvierow

Inspiring

Just wanted to jump in as a developer experiencing the same issue.

In most of my applications I am handling authentication on my own, using CFID/CFTOKEN to access a session scope where I keep credentials, those are not affected. The ones where I decided to use isUserInRole()/isUserLoggedIn(), I am affected. So one work around is to manage your roles in the session scope instead of the roles attribute of cfloginuser. Create your own UDF to replace the two previous functions that instead accesses whatever you've placed in the session scope.

Found this in security.log also. Time matches when I attempted to sign in:

"Information","ajp-bio-8014-exec-7","02/18/16","10:31:15",,"An error occurred while fetching element from authcache."

P

Perkley1

Known Participant

I hope this is resolved soon, I have several sites that started requiring you to log in twice at random due to upgrading to CF11. I have Update 7. I really don't want to have to go modify the code if it is just an update fix.

CCPSWebmaster

Participant

Other than in my example above:

Should fix the Double Login Issue. Although I am not sure if it creates any other issues.

CCPSWebmaster

Participant

I am having the same issue, but I noticed something very strange...

Here is my Application.cfc

</cffunction>

<cftry>

////////////////////////// LDAP Minified for obvious reasons //////////////////////////////

<cfldap action="query"

name="CheckIfUser"

>

</cfcatch>

</cftry>

<cftry>

///////////////////////////// LDAP Minified for obvious reasons //////////////////////////////

<cfldap action="query"

name="AuthenticateUser"

>

</cfcatch>

</cftry>

</cfif>

</cfif>

</cfif>

</cfif>

</cflogin>

</cffunction>

</cfcomponent>

Please take note of the <cfloginuser> line:

I was attempting to force each login to be unique to see if it was a SESSION causing the issue.

I login and refresh the page a couple of times, but then something interesting happened.

I was greated with the login screen with the error message:

"You do not have access to this System"

What this means is that for some reason the CFLOGIN.name and CFLOGIN.password fields were resent to the server. However because this message came up that means the userID was NOT "USERWITHACCESS"

So to test my theory I modified the alert message:

SURE ENOUGH this is what I got:

You do not have access to this System USERWITHACCESS17E0C4A160-EAEB-5C23-FDF8DB569F65D3C2

What this means is the <cfloginuser> tag is resubmitting the CFLOGIN variables.

So I logged in again, and started refeshing the page to keep the <cflogin> timeout from firing.

I Timed it. I get that error at Exactly 10 Seconds after I log in which is the Timeout I have set for the SESSION Variables.

It seems like when the SESSION variable times out but the <cflogin> has not coldfusion resubmits the Login information that was stored in the <cfloginuser> tag. However the User is retaining the OLD Session ID instead of being re-assigned to the new ID.

Can anyone else verify my logic?

Also the only reason I have the <cfif CFLOGIN.name is "USERWITHACCESS"> in there is because of a last minute "Hey we only want these people to have access!" And we have yet to create the Group on our AD server (to check with LDAP) So it was quickly thrown in there. Which luckily caused me to notice this!

itisdesign

Inspiring

Hi Benoit,

I believe 3732198 resolved the java.lang.NullPointerException in CF10 Update 14. I've added the following comment to 3839458:

-----------

Another workaround is duplicate the <cflogin>/cflogin(). Example:

When both have allowconcurrent=true (the default), then both will run. isUserLoggedIn() returns YES after the 1st, but the 1st login actually fails. The 2nd runs and logs in correctly.

Repro attached as Application.cfc

When THIS.loginStorage="cookie", then the issue does not reoccur if an old cfauthorization cookie is still present.

-----------

Thanks!,

-Aaron

BKBK

Community Expert

<cfset this.name = hash( getCurrentTemplatePath() ) />

Problematic, as the application's name changes per page request. Sessions are dependent on the application name. Therefore, the session will break whenever the template path changes.

To verify this hypothesis, test it with

S

silmarilAuthor

Known Participant

Well no, actually the TemplatePath() is the path to Application.cfc in this case. It's an example taken from bennadel.com blog, but i also did try a fixed application name, it doesn't change anything.

Also: this exact same application behave correctly on a BlueDragon 7.1 server.

Using loginStorage="Cookie" on CF11 however seem a bit better, but there are some weirdness occasionnaly.

S

silmarilAuthor

Known Participant

I also used cflogin's default value of allowConcurrent=true, by omission. To synchronize with you, the rest of my test procedures and files were as follows.

I commented out the cfsetting tag, and switched on debugging in the Coldfusion Administrator. I also removed the cfabort tag after <cfinclude template="loginForm.cfm"> to enable onRequestStart to return.

index.cfm

We are in index.cfm<br>

getAuthUser(): <cfoutput>#getAuthUser()#</cfoutput><br>

Application.cfc

<cffunction

name="OnRequestStart"

access="public"

returntype="boolean"

output="true"

hint="Fires at first part of page processing.">

<cfargument

name="TargetPage"

type="string"

required="true"

/>

</cfif>

</cfif>

</cflogin>

</cfif>

</cffunction>

</cfcomponent>

loginForm.cfm

<div>

<b>login :</b>

<b>password :</b>

</form>

</div>

logoutForm.cfm

<div>

</form>

</div>

Hi,

I think the main difference is that your cflogin.idleTimeout is less that the sessionTimeout, to make it really reproducable you need to have it greater than or equal to the sessionTimeout.

Well it also happens in this case (idleTimeout < sessionTimeout) for me but ...

In this case i also regularly see another weird comportement: If i got back on the back after the idleTimeout but before the sessionTimeout the <cflogin> part is triggered again and the previous login+password are automatically injected into the cflogin Structure. (i putted <cfif isDefined("cflogin")><cfdump var="#cflogin#" label="cflogin"></cfif> into the <cflogin> block.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded