Cookies and cflogin

Report · Jan 05, 2009

I have no idea what the issue is because sometimes this works and sometimes it doesn't....

I have all my session management code in the Application.cfm file and I let users revisit pages without logging in if they have cookies enabled. However, I also clear those cookies when they logout and also use the cflogout tag.

If the cookies have been cleared the user should not be able to login again unless they use a form but for some strange reason coldfusion is letting users do that even after cookies are cleared and cflogout.... ??????

Report · Jan 05, 2009

'Ah I see, and how does this make you feel?' in my best
Psychologist|Psychiatrist|Therapist voice to get a patient to open up
and tell more.

In Other Words -- Code, Symptoms, Errors? Anything to go on here?

If you just want confirmation that this can be done with cookies and the
cflogin|cflogout feature, then it sure can.

Report · Jan 05, 2009

It should work as you expect, if you set the attribute loginStorage of the cfapplication tag to cookie. If you set it to session, then you will have to clear the session variables. Coldfusion may still have them in memory.

Report · Jan 05, 2009

I clear the cookies with expires="now"

You still haven't cleared the session cookies, CFID and CFToken. They are the ones responsible for maintaining the client's session. One way to do it is

<cfset isCleared = StructClear(Session)>

Report · Jan 05, 2009

I think I need to clear the session variables... however with my code that shouldn't matter...

When they click "logout" from the app I clear the cookies with expires="now"

Report · Jan 06, 2009

That didn't work.

Variable SESSION is undefined.

The error occurred in /vservers/getkonnekt/htdocs/logout.cfm: line 6

4 : <cfcookie name="ffc_password" expires="NOW">
5 :
6 : <cfset clear_them = StructClear(SESSION)>

Report · Jan 07, 2009

> Variable SESSION is undefined.

Doesn't sound good. You should enable sessions in the Coldfusion Administrator and in the Application file.

Report · Jan 07, 2009

Sessions (session variables) are enabled as I use them throughout the application.

Something is wrong with the struct statement.

This should be really easy and its driving me kabonkers.

Report · Jan 07, 2009

idesdema wrote:
> Sessions (session variables) are enabled as I use them throughout the application.
>
> Something is wrong with the struct statement.
>
> This should be really easy and its driving me kabonkers.

Or something is wrong with your session scope.

Here is an off the wall question. Where is this logout template in
relation to your application.cfm|.cfc file in your web site directory
structure.

Report · Jan 07, 2009

same dir

Report · Jan 07, 2009

Would it matter if cflogout was above the other code?

Report · Jan 07, 2009

I really don't understand this.

Now the Struct statement works error free. However, after clearing the cookies and clearing the session variables and cflogout, I can still go right back into the site without logging in and that's not right.

I don't get it.

Report · Jan 13, 2009

Please can someone help out with this? You see all the code. I can login and browse, click logout, and then log back in without being presented a form. This is not correct. If a user clicks logout the cookies are cleared and I used <cfset clear_them = StructClear(SESSION)> to clear the session variables.

Is there anything else I can try? The logic seems accurate. I should be presented with a new login form after clicking logout.

Report · Jan 15, 2009

I suppose Coldfusion still counts an empty cookie as a cookie. What if you use the combination

<cfset isLoginCookieDeleted = StructDelete(cookie, "ffc_login")>
<cfset isPwCookieDeleted = StructDelete(cookie, "ffc_password")>

Report · Jan 19, 2009

That was it. Thanks!!!

Report · Jan 27, 2009

I followed this topic through to the end and see that I was doing everything except the cookie clear. I added the clearing of cookies CFID and CFTOKEN to no avail. I can still LOGOUT, then when I return to where I should get a login screen, I instead see that I'm still logged in. I tested the variables with cfdump's during the logout, and it says that my Session and Application are completely cleared.

So how in the world is it that I'm still logged in?

I am so completely baffled...

Report · Jan 27, 2009

Randy try StructDelete instead of struct clear on your application and session variables. I used that in my logout.cfm and it finally worked.

Report · Jan 27, 2009

Thanks for the suggestion, but, alas, no go. Now, the only variables I deleted were SESSION.getauthuser and APPLICATION.getauthuser, but at the end of the login routine I did do a cfdump of everything, as shown below (before and after) and there is NOTHING there. All are empty. Yet, when I went back up to the URL and called up the site, then went to my login page, I was instead directed to my account as I was already logged in.

This makes no sense to me. Could there be an auto-login from my browser, perhaps? But those usually just fill in the blanks on the login form and wait for you to hit submit...

Still perplexed.
RLS

Report · Jan 27, 2009

RLS wrote:
>
> This makes no sense to me. Could there be an auto-login from my browser,
> perhaps? But those usually just fill in the blanks on the login form and wait
> for you to hit submit...
>
> Still perplexed.
> RLS
>

I have occasionally been following this thread, so forgive me if I have
overlooked something. But everything I have read leads me to think that
you may have code accessing different scopes. This would be caused by
templates being run under different application names.

At the top of every template output the CFID and CFTOKEN values. If
these values never change then I am probably wrong. But if they are
different on your logout page then your login page, then different parts
of your application are accessing different application and|or session
scopes.

Report · Jan 28, 2009

As usual, it's stupid little things like this that consume too much time. I tried so many things, came back and discovered I was doing the struct delete wrong (had structure and field reversed) and that was causing an error that was keeping the rest of it from doing its job.

But this was actually an after-the-fact deal. This was working for most other sites.

Other problems included using the domain with "www" in some places and without it in others which affected my scope because my scope is predicated on the cgi.server_name (serving hundreds of domains through this one application file).

Cleaned all that up and it now appears that the applicaiotn name is never generated (weird, huh?) but the application scope is definitely there.

Long story long, it now works to kill the user login. Will have to revisit the missing application name thing later.

Thanks for all of your help!

RLS