• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Issue with cfauthentication

Advisor ,
Nov 26, 2024 Nov 26, 2024

Copy link to clipboard

Copied

Good morning,

We used CF2021 and we installed the lates update 17. Started having issues with our login system in one box losing the cfathentication session var.

I created a test login to trace the issue in the same box, because in other box works fine. The security team applied some stigs to the box lately and not sure if that is afecting the browser.

When user login the first time the cfauthentication is not showing.

Here is the application.cfc

<cfcomponent	output="false"	hint="I define the application settings and event handlers.">

	<cfscript>
	//Define the application settings.
	this.clientManagement = false;    

	// define the cflogin storage
	this.loginStorage = "session";
	this.name = listLast(getDirectoryFromPath(getCurrentTemplatePath()), "\");
	this.applicationTimeout = createTimeSpan( 0, 0, 0, 10 );
	this.sessionManagement = true;
	this.sessionTimeout = createTimeSpan( 0, 0, 5, 0 );
  this.setClientCookies = true;

	this.secureJSONPrefix = "";

	
  </cfscript>

	<!--- Define the request settings. --->
	<cfsetting showdebugoutput="false"/>

	<cffunction	name="onApplicationStart"	access="public"	returntype="boolean"	output="false" hint="I initialize the application.">

		<cfscript>
			// root and upload folder
			application.root_folder = this.name;
			application.upload_folder = Left(getDirectoryFromPath(getBaseTemplatePath()), FindNoCase('\', getDirectoryFromPath(getBaseTemplatePath()), FindNoCase(application.root_folder, getDirectoryFromPath(getBaseTemplatePath())))) & "UPLOAD_" & uCase(this.name);
			application.absolute_folder = Left(getDirectoryFromPath(getBaseTemplatePath()), FindNoCase('\', getDirectoryFromPath(getBaseTemplatePath()), FindNoCase(application.root_folder, getDirectoryFromPath(getBaseTemplatePath()))));

		</cfscript>
		<!--- Initialize the application settings. --->
		<cfset application.dateInitialized = now() />

		<cfset application.debug = debug />

		<cfset application.sqlRegEx = "<[^>]*>|insert|select|delete|update|create|drop|alter|&|%|" />

		<!--- Return true so that the page can load. --->
		<cfreturn true />
	</cffunction>

	<cffunction name="onApplicationEnd" output="no" returnType="void">
    <cfargument name="applicationScope" required="true" />
  </cffunction>

	<cffunction name="onRequestStart" output="true" returnType="boolean">
		<cfargument name="thePage" type="string" required="true" />

		<cfif NOT isDefined("session.loggedIn")>
				<cfset session.loggedIn = false />
		</cfif>

		<cfreturn true />
  </cffunction>


	<cffunction	name="onSessionStart"	access="public"	returntype="void"	output="false" hint="I initialize the session.">

		<!--- Initialize the session settings. --->
		<cfset session.dateInitialized = now() />
    <cfset session.id = createUuid() />

		
		<cfif NOT isDefined("session.loggedIn")>
			<cfset session.loggedIn = false />
	</cfif>

		<!--- Return out. --->
		<cfreturn />
	</cffunction>


	<cffunction name="onRequest" returnType="void">
    <cfargument name="thePage" type="string" required="true" />

		<!--- <cfset applicationStop() /> --->
		<cflogin applicationtoken="#this.name#" idletimeout="#this.sessionTimeout#">
			<cfif (isDefined("form.j_username") and len(trim(form.j_username)) GT 0 and isDefined("form.j_password") and len(trim(form.j_password)) GT 0)>
				<!--- check for SQL injection and script since log in form is semi-public --->
					<cfset cflogin.name = REReplaceNocase("#trim(cflogin.name)#", application.sqlRegEX, "", "ALL") />
					<cfset cflogin.password = REReplaceNocase("#trim(cflogin.password)#", application.sqlRegEX, "", "ALL") />

					<cfif authenticateUser(cflogin.name, cflogin.password)>		
						<cfset session.loggedIn = true />
						<cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="SUPER USER">

					<cfelse>
							<cfset variables.loginError = "Username and/or Password is Invalid." />
					</cfif> <!--- END IF: authenticateUser() --->
			</cfif>
<!--- <cfset application.debug(session)/><cfabort> --->
			<cfif isDefined("session.loggedIn") AND NOT session.loggedIn>
				<cfinclude template="login.cfm" />
				<cfabort />
			<cfelse>
				<cfinclude template="index.cfm" />
			</cfif>
		</cflogin>

  </cffunction>

	<cffunction name="authenticateUser" output="no" returntype="boolean">
		<cfargument name="userName" required="yes" type="string" />
		<cfargument name="passWord" required="yes" type="string" />

		<cfset var returnValue = FALSE />
		<cfset var qryAuthUser = "" />

		<cfquery name="qryAuthUser" datasource="myDatabase">
				SELECT  *
				FROM    users u
				WHERE   u.user_id = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#trim(arguments.userName)#" />
				AND     u.user_password = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#hash(trim(arguments.passWord))#" />
		</cfquery>
	      
		<cfif qryAuthUser.recordCount eq 1>
				<cfset returnValue = TRUE />
		</cfif>

		<cfreturn returnValue />
	</cffunction>

	<cffunction name="debug" access="public" output="true" returntype="void">
    <cfargument name="input" required="No" default="" />

    <cfset var debugFile = '#application.absolute_folder#debug.cfm' />
    <cfset var debugInfo = "" />

    <cfsavecontent variable="debugInfo">
       <p><strong>DEBUGGING</strong>: <cfoutput> #dateFormat(now(),'mm/dd/yyyy')# #timeFormat(now(), 'HH:mm:ss tt')# </cfoutput><br>
  
      <cfdump var="#arguments.input#" label="custom" format="html">
      <cfdump var="#form#" label="form" format="html">
      <cfdump var="#url#" label="url" format="html">
      <cfdump var="#cgi#" label="cgi" format="html">
      <cfdump var="#application#" label="application" format="html">
    </cfsavecontent>

    <cffile action="WRITE" file="#debugFile#" output="#debugInfo#" />
  </cffunction>

</cfcomponent>

 

And login.cfm

<!DOCTYPE html>
<cfsilent>
    <cfparam name="session.lastLoginDate" default="" type="string">
    <cfparam name="variables.user_id" default="" type="string"> 
    
    <cfparam name="FORM.j_username" type="string" default="" />
    <cfparam name="FORM.j_password" type="string" default="" />
</cfsilent>

<!--- <cfset application.debug(session)/><cfabort>--->

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

    <title><cfoutput>Test Site</cfoutput></title>
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=10, user-scalable=yes">
                
</head>
<body>

    <h1>
        Application Login
    </h1>

    <form action="#CGI.script_name#" method="post">

        <label>
            Username:
            <input type="text" name="j_username" size="20" />
        </label>
        <br />
        <br />

        <label>
            Password:
            <input type="password" name="j_password" size="20" />
        </label>
        <br />
        <br />

        <input type="submit" value="Login" />

    </form>

</body>
</html>

and the Index.cfm

<cfoutput>
<cfset application.debug(session)/>
<cfif isDefined("session.loggedIn") and session.loggedIn >
	<h1>We are in </h1>
</cfif>
 
	<h1>
		Application And Session Overview
	</h1>

	<p>
		Application initialized:
		#dateDiff(
			"s",
			application.dateInitialized,
			now()
			)#
		seconds ago.
	</p>

	<p>
		Session initialized:
		#dateDiff(
			"s",
			session.dateInitialized,
			now()
			)#
		seconds ago.
	</p>

</cfoutput>

The first time I do the login the session var cfathentication is not showing

loginIssue01.PNG

 

If I refresh the browser the session var shows.

loginIssue02.PNG

What am I doing wrong? Any ideas?

Thanks in advanced.

Johnny 

 

Views

529

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 27, 2024 Nov 27, 2024

Copy link to clipboard

Copied

Just to add: I have just updated my last post, adding a further suggestioin.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advisor ,
Nov 27, 2024 Nov 27, 2024

Copy link to clipboard

Copied

"Your code is much improved, and should work. The problem you are getting with getAuthUser() is unlikely to be related to any ColdFusion settings or fixes. "

Based on this I decided to uninstall CF becuase I already tried to revert the 17 update. I am getting this error:

loginIssue04.PNG

I check the jvm.cfg file in C:\ColdFusion2021\jre\lib\ and show this:

-server KNOWN
-client IGNORE

Is there a way to fix this error and unstall CF ?

Thanks, Johnny

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 27, 2024 Nov 27, 2024

Copy link to clipboard

Copied

You should be able use any compatible (recent?) JVM to run the CF uninstaller. Just set the JAVA_HOME environment variable to its location. Remove the web server connectors using wsconfig first.

 

That said, CF is very loosely tied to the OS. You can remove it by deleting the connector with wsconfig, deleting the CF directory itself, and optionally deleting the relevant registry keys. You should be able to find detailed instructions by searching for "ColdFusion manual uninstall".

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advisor ,
Nov 27, 2024 Nov 27, 2024

Copy link to clipboard

Copied

Thanks! I have to do CF manual remove.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advisor ,
Nov 27, 2024 Nov 27, 2024

Copy link to clipboard

Copied

The CF reinstallation fixed the issue. Something new learned.

This is weird and waste a lot of time in this box. I least i improved my login code with your help.

Thanks again to all for the replies and help, really appreciated. 

Happy thanksgiving to all.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 27, 2024 Nov 27, 2024

Copy link to clipboard

Copied

LATEST

Nice to hear. However, I am confused by your final conclusions. We have been busy discussing a code problem. But you now conclude with a new remark about installation.

 

What was the issue, and what fixed it? Please share your solution with the forum. It will help a fellow developer in future.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Nov 26, 2024 Nov 26, 2024

Copy link to clipboard

Copied

You are using sessions for the 'isLoggedIn' variable.  I'm asking what is your setting in the CF Admin for session storage?  Charlie mentioned this, also.

Is if EHCache or Redis, or something else?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advisor ,
Nov 26, 2024 Nov 26, 2024

Copy link to clipboard

Copied

I used session variables. The session storage is set to memory on my CF admin.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 26, 2024 Nov 26, 2024

Copy link to clipboard

Copied

Good catch, Paul, even if it's not Johnny's issue. That said, note also that the redis sessions setting in the cf admin also has a checkbox for whether it's to be used for cflogin processing--making it potentially all the more relevant in this situation.

 

I realize Johnny may confirm he doesn't use redis for cf sessions at all. (Johnny, this is on the "memory variables" page of the cf admin, new since cf2016, and and set to "memory" by default. Indeed, that cannot be changed if "j2ee sessions" is enabled, on that same page.) 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation