CFTOKEN PROBLEM IN CF10

Report · Oct 14, 2012

Hi,Irecently installed Coldfusion 10.When i login from first browser it logs me in and when i try to login from another browser it is throwing me out that there is active session which doesnt happen in CF9.I noticed that CFTOKEN is not genearating new token when i try login from second browser.Any Help would be appreciated.

Report · Oct 14, 2012

CF10 lets only one cfide/administrator at a time.
See section - There are however some behavioral changes:
http://www.adobe.com/devnet/coldfusion/articles/security-improvements.html

HTH, Carl.

Report · Oct 15, 2012

hi carl,

Can you breif me about the possibility of logging into two different browsers with out duplicating the cftoken .

Can we login to two browsers in CF10?

Report · Oct 15, 2012

Hi Raja, CFadmin by design in CF10 only allows 1 admin login at a time. I guess you could add multiple users. EG

HTH, Carl.

Report · Oct 15, 2012

hi carl,

am not asking about the CFADMIN login.am talking about my site login.suppose.

http://nh-xxx/dev/login.

if i try the above url in two different browsers,first browser allows me to login and second browsers saying that active session is there.i observerd that cftoken is not genearating second cftoken.can you please give me a solution for this.

Report · Oct 15, 2012

Yes, this is a new (and somewhat hamfisted/misguided in its implementation) "feature" of CF10. I think it only comes into play if you select the "secure profile" option when installing though? I dunno how to switch it off.

I recommend voting to get this reverted back to the default behaviour of CF prior to CF10, and the new feature made optional.

Details here:

https://bugbase.adobe.com/index.cfm?event=bug&id=3339008

--

Adam

Report · Oct 15, 2012

hi Adam Cameron.,

can you give any quick solution for this as this needs to tide up soon.

regards

raja.

Report · Oct 15, 2012

Yes, the solution was to not install the secure profile in the first place. As to solve it after the fact: I have no idea. I've never had to deal with it.

If you're in a hurry, you should be soliciting paid-for support from a consultant, not asking questions on a community-based forum.

--

Adam

Report · Oct 15, 2012

Hi Adam Cameron,

I uninstalled the CF10 and installed it again with out checking the secure profile,but the problem still exists.the second browser not allowing to login.

Regards

Raja

Report · Oct 16, 2012

@Mucharla,

Go back to the bug report, and scroll down to the post by Hemant Khandelwal. He gives a workaround, involving the Java flag

-Dcoldfusion.session.protectfixation=false

Report · Oct 16, 2012

Hi BKBK,

can you please let me know where exactly bug report means.

regards

raja.

Report · Oct 16, 2012

Mucharla Raja wrote:
can you please let me know where exactly bug report means.

You will find the bug report at the link that Adam Cameron gave above. You have to include the flag in the 'Java and JVM' field in the ColdFusion Administrator.

Report · Oct 16, 2012

Hi BKBK,

I have done as specified but still the second ie browser doesnt allow me to login in CF10,where as if i try WITH CF9 it didnt give any problem.

does CF10 allow multiple browser sessions(cftokens)?.

regards

raja

Report · Oct 17, 2012

Did you, to be sure, restart ColdFusion after setting the Java flag? If not, try that.

Report · Oct 17, 2012

I restarted ColdFusion after setting the Java flag but it didnt work.

do i need to add any other code for my application.cfm

<cfapplication name="#appname#"

sessionmanagement="YES"

setclientcookies="Yes"

clientmanagement="Yes"

sessiontimeout="#CreateTimeSpan(0,0,30,0)#"

applicationtimeout="#CreateTimeSpan(2,0,0,0)#">

</cfif>

Report · Oct 17, 2012

Your cfapplication code looks all right. Two suggestions:

1) Did you save the file as Application.cfm (not application.cfm)?

2) You could leave out the cookie code entirely. See what happens then.

Report · Oct 17, 2012

i did what u said above,no difference only one ie browser allowing me to login,other ie browser throwing me out.

Report · Oct 17, 2012

Mucharla Raja wrote:
<cfif IsDefined("Cookie.CFID") and IsDefined("Cookie.CFTOKEN")>
<cfset cfid_local = Cookie.CFID>
<cfset cftoken_local = Cookie.CFTOKEN>
<cfcookie name="CFID" value="#cfid_local#">
<cfcookie name="CFTOKEN" value="#cftoken_local#">
</cfif>

What is the point of this code?

The way I read this is:

If the cookies exists, reset them with their same names and values. Seems kinda pointless.

Try this:

</cfif>

You should be getting session token information from the session, not from cookies. The session stored on the server is the authority.

Also, I would encourage you to look at the HTTP headers going back and forth on the browser that is failing. See what is being passed back and forth. If you are using FireFox you can get a plugin called HTTPLive Headers that will show you.

One final thing, when you do these First-Browser / Second-Browser tests, are you always using the same two browsers in the same order? Or are you mixing it up? Have you tried using different combinations to see if they yield different results? For example:

First Browser Second Browser

IE Firefox

FireFox IE

Chrome FIreFox

IE Chrome

Safari Chrome

Jason

Report · Oct 17, 2012

Hi,

I tried the above code with two IE browsers,but still it doesnt allow me to login to second browser(means it is not creating the second cftoken).

once login to first browser then i deleed the cookies in the second browser and loged in,it allows me to login with different cftoken which i am expecting but when i access first browser the first browser using second browser cftoken,so first browser is invalid now.

. does CF10 allow multiple browser sessions(cftokens)?.

Report · Oct 17, 2012

Wait... what?

Are these two browsers on the same computer? If they are then that is not two browsers, that is one browser. You cannot open two instances of IE on the same machine and expect them to maintain different sessions.

If that is what you are doing then when you "delete the cookies in the second browser" you are also deleting the cookies in the first.

When you were doing this in CF9, what version were you using? Did you have any of the security hotfixes installed?

Of course CF10 allows multiple browser sessions, but to do that you have to actually use multiple browsers, not the same browser twice.

jason

Report · Oct 17, 2012

In CF9 when i use two IE browsers on same machine it allowed me to login into two browsers,but CF10 doesnt allow me.

this is what my problem.

Report · Oct 18, 2012

Mucharla Raja wrote:
In CF9 when i use two IE browsers on same machine it allowed me to login into two browsers,but CF10 doesnt allow me.
this is what my problem.

Mucharla, you may not realize it, but you led every poster in this thread to believe that you had 2 browsers on 2 separate machines, one on each machine! You should therefore understand all the suggestions that everyone has given you applies to browsers on separate machines.

Report · Oct 18, 2012

ok,

Can you conclude me that in CF10 if we have 2 IE browsers in same machine cannot login to both browsers?

Report · Oct 18, 2012

As 12Robots has said, "2 IE browsers in same machine" makes little sense. His posts say more on the subject.

However, 2 separate browsers, such as IE and Firefox, on the same machine do make sense. I would then expect the Java flag to fix the issue. If you experience otherwise, then it means the workaround fails. You should report it. Here is the link again, for your convenience:

https://bugbase.adobe.com/index.cfm?event=bug&id=3339008

Report · Oct 18, 2012

Of course you can log into both. When you log into ONE browser window you log into both. You create a single set of cookies that BOTH browser WINDOWS use. When you delete the cookies in one window, it deletes them across the board.

You cannot do what you describe with ANY version of CF. You say you were able to do it with CF9. You are wrong.

Internet Explorer uses a central cookie repository provided by the operating system. It is impossible to maintain two sessions in to different IE windows on the same web application regardless of the server-side platform (CF9, CF10, .NET, PHP, whatever).

Whatever you were experiencing in CF9, it is NOT what you are describing. Perhaps you were misunderstanding what was happening and you thought you saw the behavior you describe.

Feel free to post a video of you doing what you describe using CF9, but until you do, I am going to assume that this is a fundemental misunderstanding of how browsers and the statelessness of HTTP work and I will mentally close this thread.

Jason