CF8 to CF10 Migration: CFloginUser Failing

Report · Sep 07, 2013

Here are the environments:

OLD SERVER

Server Product: ColdFusion

Version: 8,0,1,195765

Edition: Enterprise

Operating System: Windows Vista*

OS Version: 6.0

Update Level: .... hf801-00007.jar

IIS Version: 7

(*not sure where that "Vista" comes from? The System Information says "Windows Server 2008 Datacenter without Hyper-V")

NEW SERVER

Server Product: ColdFusion

Version: 10,0,11,285437

Tomcat Version: 7.0.23.0

Edition: Enterprise

Operating System: Windows Server 2008 R2

OS Version: 6.1

Update Level: .... chf10000011.jar

Adobe Driver Version: 4.1 (Build 0001)

IIS Version: 7.5

Here is the problem:

Moved all files and database to NEW SERVER, configured datasource, etc. Configured IIS, set up a testing domain for the NEW SERVER. After jumping through the new ColdFusion hoops (wsconfig.exe, etc), got the new version of the site up and running. However, authentication/login is not working.

I have a pretty standard Coldfusion login, using cfloginuser in the Application.cfc file. After I login on the old site, outputting GetAuthUser (<cfoutput>GetAuthUser: #GetAuthUser()#</cfoutput> prints my username to screen, and all my role-based rules work.

On the new server, outputting GetAuthUser prints empty. Exact same code base, exact same database structures, etc.

I know the login process itself is working, because it is correctly setting session variables with user information, and they are available on subsequent requests. But none of the traditional cflogin data is available on subsequent calls.

What has changed in CF10?

Report · Sep 08, 2013

This appears to be a bug.

To test solutions, I set up 2 test apps, one on the old server, one on the new.

Old Server: http://cfloginold.cimhost.com/index.cfm

New Server: http://cflogin.cimhost.com/index.cfm

Use "test" and "demo982013" as user and password.

Append ?logout=true to the URL to logout and re-test. These two apps have exactly the same code, same database. I am dumping session and form values to screen, along with GetAuthUser() value.

The authentication method is pretty much exactly as outlined in Adobe's documentation, and I can share all relevant code here if necessary.

Note that in the "new" server, the form loads each time you visit the page, whether you have logged in or not. This is exemplar of the fact that the cflogin session is not being retained or recognized, thus presenting the login form each visit (although not on initial form completion, which shows that cflogin is at least working on the initial login).

I am able to get cfloginuser to fire a couple of ways, just not as part of the standard Adobe documented application-based user security model.

Option 1: I created a standalone page, and placed the following code in it:

I then instructed Application.cfc to allow this past the cflogin gate. You can see the results by pointing your browser to: http://cflogin.cimhost.com/directlogin.cfm?bypass=true

Voila. 'cfauthorization_cicmstest' value has been set, and user is logged in. Subsequent calls to GetAuthUser() are successful. So I know now that CF10 and the application do allow cfloginuser, and the user session can be created.

Option 2: I then decided maybe it was something about my Application.cfc file, so I again bypassed the cflogin gate, and placed the hard-coded cfloginuser snippet directly in my Application.cfc onRequestStart function. Logged out and visited: http://cflogin.cimhost.com/index.cfm?bypass=true&noquery=true

Again, cfauthorization_cicmstest value was successfully set, and user is logged in.

However, logging in still fails if the cfloginuser directive is fired within the actual cflogin process in Application.cfc. Here is what that code looks like:

SELECT id,username, userroles

FROM myusertable

WHERE

username = '#cflogin.name#'

AND userpass = '#HASH(cflogin.password)#'

</cfquery>

<cfset MyMessage = "#MyMessage#<br />The Login Query fired and returned expected - loginQuery.userroles NEQ ''">

<CFSET MyMessage = "Your login information is not valid. <a href='index.cfm?logout=1'>If your session timed out, click here!</a>">

</cfif>

I know that the query is successful, because I am setting an alert message that tells me the loginquery.userroles value was not empty, which is the condition for processing cfloginuser.

I know where the code is failing now, just not why. I've tried hard coding that cfloginuser value, and it still fails. I'm at a loss as to what to try next. The cfloginuser functionality works, just not in the one place (within the loginQuery.userroles conditional) that I need it to work.

Everything is structured as per Adobe's own documentation, so this would appear to be a bug.

Report · Sep 08, 2013

Just to prove to myself it wasn't my code, I created 2 more test sites, one on the old server, one on the new server:

New Server (CF10) = http://cf10loginadobe.cimhost.com/securitytest.cfm

Old Server (CF8) = http://cf8loginadobe.cimhost.com/securitytest.cfm

I copied exactly Adobe's 3 files from their Application-based security example. I created a database table with their schema and values. I added my cfdump outputs to show the sessions being created.

Test with user of "Bob" and password of "secret". Even with Adobe's own code, the tests fail on CF10.

I'm not sure what to do next. Rewriting the application to not use cfloginuser is not an option, as we have more than a dozen applications we are migrating to CF10 that use this authentication model, across hundreds of templates.

Report · Sep 11, 2013

Hi Max,

I tried this same code from adobe example on CF10 and it is working for me as a charm. To help me debug this for you, Can you please try the following ->

Make <cfset This.loginstorage="session"> in application.cfc to <cfset This.loginstorage="cookie">

and then see if authorization cookie is received. Also i would request you to try this from another machine or browser other than IE.

Will be glad to help on this.

Shilpi

ColdFusion Server Team