RE: cflogin and load balancing

[Mark A Kruger]

Dave,

Do you mean when using NLBS (the windows clustering solution)?  I was under
the impression that it could not do this.

-Mark 

-Original Message-
From: Dave Ross [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 24, 2006 6:12 PM
To: CF-Talk
Subject: Re: cflogin and load balancing

Win2k3 will do sticky sessions when clustered using NLB

-Dave

>A hardware load balancer that provides for sticky sessions will work, 
>if you can afford it.
>
>On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
>
>--
>CFAJAX docs and other useful articles:
>http://jr-holmes.coldfusionjournal.com/



~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241427
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Dave Ross]

Win2k3 will do sticky sessions when clustered using NLB

-Dave

>A hardware load balancer that provides for sticky sessions will work,
>if you can afford it.
>
>On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
>
>--
>CFAJAX docs and other useful articles:
>http://jr-holmes.coldfusionjournal.com/

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241383
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[dcooper]

Just to complete this thread, since it's been linked to by several folks:

One customer in particular had issues ad we walked them through their code 
issues.  In particular, the following problems were found that prevented 
CFLOGIN working in a clustered environment:

- There are nested cflogin tags.  
Resolution: Remove the cflogin code in login.cfm

- CFLoginUser is not executed in onRequestStart.  
Resolution: do user validation in onRequestStart instead of in login.cfm

- Checking a session variable (which is replicated in a cluster) to decide if 
login code should be executed.
Resolution: Don’t do this; always check if the cflogin scope exists (see docs 
and sample code).

Here is some example code, note that this is onRequest, not onRequestStart.  
Either will work.









select u.userid
from users u
where username = 
and password = 














For more sample CFLOGIN code, see the CF Developers Guide:

  http://livedocs.macromedia.com/coldfusion/7/htmldocs/1181.htm  

HTH

Damon








>On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
>> But I still wonder why the cflogin cookie includes the full login info
>> (username/password base64 encoded), what does it need to then?
>
>I stand corrected again!
>
>I did further testing and the cflogin/cfloginuser code will
>automatically login the user on the second server if the user has the
>cflogin cookie from the first server.
>
>It looks like using cflogin (set to use cookies) correctly will work
>for my setup with mutiple servers not clustered, even if it's not very
>secure (since the cookie includes the username/password).
>
>Regards.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241364
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Douglas Knudsen]

nope and nope.

I've setup JAAS in JRun, seems to work fine.  In fact I setup a
serverwide SSO solution using JAAS where CF can interface with it
simply.

DK

On 3/28/06, Andy Allan <[EMAIL PROTECTED]> wrote:
> Isn't cflogin already based on JAAS? The CF (or indeed JRun)
> implementation just happens to be botched?
>
> Andy
>
> On 28/03/06, Douglas Knudsen <[EMAIL PROTECTED]> wrote:
> > I've been wondering why the CF team has not switched over to using
> > J2EE security.  A rewrite of cflogin code that can use JAAS would be
> > just swell and allow  integration with non CF J2EE products without
> > messing with web.xml files and such, eh?
> >
> > DK
> >
> > On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> > > On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
> > > > It doesn't work that way.  Since your CFLOGINUSER call is inside a 
> > > > CFLOGIN call, that CFLOGIN call *won't* run when the second server sees 
> > > > your authentication cookie because CFLOGIN only runs when you are *not* 
> > > > authenticated.
> > >
> > > Actually, according to my testing (ColdFusion 6.1 with the Updater),
> > > when the second server sees the cflogin cookie, it will automatically
> > > run the cflogin/cfloginuser code and authenticate/authorize the user.
> > >
> > > Can anyone verify this with ColdFusion MX 7?
> > >
> > > Thanks.
> > >
> > >
> >
> >
>
> 

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236320
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Andy Allan]

Isn't cflogin already based on JAAS? The CF (or indeed JRun)
implementation just happens to be botched?

Andy

On 28/03/06, Douglas Knudsen <[EMAIL PROTECTED]> wrote:
> I've been wondering why the CF team has not switched over to using
> J2EE security.  A rewrite of cflogin code that can use JAAS would be
> just swell and allow  integration with non CF J2EE products without
> messing with web.xml files and such, eh?
>
> DK
>
> On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> > On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
> > > It doesn't work that way.  Since your CFLOGINUSER call is inside a 
> > > CFLOGIN call, that CFLOGIN call *won't* run when the second server sees 
> > > your authentication cookie because CFLOGIN only runs when you are *not* 
> > > authenticated.
> >
> > Actually, according to my testing (ColdFusion 6.1 with the Updater),
> > when the second server sees the cflogin cookie, it will automatically
> > run the cflogin/cfloginuser code and authenticate/authorize the user.
> >
> > Can anyone verify this with ColdFusion MX 7?
> >
> > Thanks.
> >
> >
>
> 

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236305
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Douglas Knudsen]

I've been wondering why the CF team has not switched over to using
J2EE security.  A rewrite of cflogin code that can use JAAS would be
just swell and allow  integration with non CF J2EE products without
messing with web.xml files and such, eh?

DK

On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
> > It doesn't work that way.  Since your CFLOGINUSER call is inside a CFLOGIN 
> > call, that CFLOGIN call *won't* run when the second server sees your 
> > authentication cookie because CFLOGIN only runs when you are *not* 
> > authenticated.
>
> Actually, according to my testing (ColdFusion 6.1 with the Updater),
> when the second server sees the cflogin cookie, it will automatically
> run the cflogin/cfloginuser code and authenticate/authorize the user.
>
> Can anyone verify this with ColdFusion MX 7?
>
> Thanks.
>
> 

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236287
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
> It doesn't work that way.  Since your CFLOGINUSER call is inside a CFLOGIN 
> call, that CFLOGIN call *won't* run when the second server sees your 
> authentication cookie because CFLOGIN only runs when you are *not* 
> authenticated.

Actually, according to my testing (ColdFusion 6.1 with the Updater),
when the second server sees the cflogin cookie, it will automatically
run the cflogin/cfloginuser code and authenticate/authorize the user.

Can anyone verify this with ColdFusion MX 7?

Thanks.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236233
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
> And one more thing... SSL really doesn't matter because you're not going to 
> use it everywhere on your site, only in some places, so everywhere else that 
> doesn't use SSL is still exposed.

The whole application will use HTTPS.

Regards.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236231
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Adam Churvis]

Jochem,

IMHO, having to explicitly test faux credentials on every request and 
logout/login each time you hit a new server in the cluster is a kludge at best. 
 

And I don't mean this as a criticism of you at all -- I highly respect your 
work; it's a criticism of Macromedia/Adobe for letting this problem go on for 
so long.

Why doesn't Adobe just fix CFLOGIN?
Respectfully,

Adam Phillip Churvis
Certified Advanced ColdFusion MX 7 Developer
BlueDragon Alliance Founding Committee



Get advanced intensive Master-level training in
C# & ASP.NET 2.0 for ColdFusion Developers at
ProductivityEnhancement.com

  - Original Message - 
  From: Jochem van Dieten 
  To: CF-Talk 
  Sent: Sunday, March 26, 2006 4:34 PM
  Subject: Re: cflogin and load balancing


  Adam Churvis wrote:
  > It doesn't work that way.  Since your CFLOGINUSER call is inside a CFLOGIN 
call, that CFLOGIN call *won't* run when the second server sees your 
authentication cookie because CFLOGIN only runs when you are *not* 
authenticated.

  So what you do is assign one standard role to everyone. When the 
  user is logged in but does not have that role assigned, you log 
  him out and in again. Role assignments get executed again on the 
  cfloginuser and the user gets his roles. Bit clumsy, but it works.

  Jochem

  

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236226
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Jochem van Dieten]

Adam Churvis wrote:
> It doesn't work that way.  Since your CFLOGINUSER call is inside a CFLOGIN 
> call, that CFLOGIN call *won't* run when the second server sees your 
> authentication cookie because CFLOGIN only runs when you are *not* 
> authenticated.

So what you do is assign one standard role to everyone. When the 
user is logged in but does not have that role assigned, you log 
him out and in again. Role assignments get executed again on the 
cfloginuser and the user gets his roles. Bit clumsy, but it works.

Jochem

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236225
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Adam Churvis]

> And one more thing... SSL really doesn't matter because you're not going to 
> use it everywhere...

As in, "SSL really doesn't matter with respect to your assumption that it 
somewhat mitigates the security concerns about cookie values being exposed."  
Of course SSL matters with respect to just about everything else. :)
Respectfully,

Adam Phillip Churvis
Certified Advanced ColdFusion MX 7 Developer
BlueDragon Alliance Founding Committee



Get advanced intensive Master-level training in
C# & ASP.NET 2.0 for ColdFusion Developers at
ProductivityEnhancement.com

  - Original Message - 
  From: Adam Churvis 
  To: CF-Talk 
  Sent: Sunday, March 26, 2006 1:18 PM
  Subject: Re: cflogin and load balancing


  And one more thing... SSL really doesn't matter because you're not going to 
use it everywhere on your site, only in some places, so everywhere else that 
doesn't use SSL is still exposed.

  You should always use loginStorage="Session" and combine this with a solid 
session syndication mechanism.  If you're running BlueDragon.NET then your best 
bet is ScaleOut StateServer.  The built-in freebie state server that comes with 
Windows craps out around three machines in most cases.
  Respectfully,

  Adam Phillip Churvis
  Certified Advanced ColdFusion MX 7 Developer
  BlueDragon Alliance Founding Committee



  Get advanced intensive Master-level training in
  C# & ASP.NET 2.0 for ColdFusion Developers at
  ProductivityEnhancement.com

- Original Message - 
From: wolf2k5 
To: CF-Talk 
    Sent: Saturday, March 25, 2006 5:02 AM
Subject: Re: cflogin and load balancing


On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
> If I'm not mistaken, *authorization* (not authentication) can't work 
across multiple CF servers -- clustered or not -- because there's no mechanism 
for specifying *roles* on any computer other than the one on which CFLOGINUSER 
was executed.

But if the cflogin cookie is there, the second server will
automatically execute the cflogin/cfloginuser code, effectively
re-logging in the user and re-assigning him the roles automatically.

Besides the security concerns (username/password in the cookie), that
can be somewhat mitigated using HTTPS, do you see any other issue with
this?

Thanks.



  

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236220
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Adam Churvis]

And one more thing... SSL really doesn't matter because you're not going to use 
it everywhere on your site, only in some places, so everywhere else that 
doesn't use SSL is still exposed.

You should always use loginStorage="Session" and combine this with a solid 
session syndication mechanism.  If you're running BlueDragon.NET then your best 
bet is ScaleOut StateServer.  The built-in freebie state server that comes with 
Windows craps out around three machines in most cases.
Respectfully,

Adam Phillip Churvis
Certified Advanced ColdFusion MX 7 Developer
BlueDragon Alliance Founding Committee



Get advanced intensive Master-level training in
C# & ASP.NET 2.0 for ColdFusion Developers at
ProductivityEnhancement.com

  - Original Message - 
  From: wolf2k5 
  To: CF-Talk 
  Sent: Saturday, March 25, 2006 5:02 AM
  Subject: Re: cflogin and load balancing


  On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
  > If I'm not mistaken, *authorization* (not authentication) can't work across 
multiple CF servers -- clustered or not -- because there's no mechanism for 
specifying *roles* on any computer other than the one on which CFLOGINUSER was 
executed.

  But if the cflogin cookie is there, the second server will
  automatically execute the cflogin/cfloginuser code, effectively
  re-logging in the user and re-assigning him the roles automatically.

  Besides the security concerns (username/password in the cookie), that
  can be somewhat mitigated using HTTPS, do you see any other issue with
  this?

  Thanks.

  

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236219
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Adam Churvis]

It doesn't work that way.  Since your CFLOGINUSER call is inside a CFLOGIN 
call, that CFLOGIN call *won't* run when the second server sees your 
authentication cookie because CFLOGIN only runs when you are *not* 
authenticated.
Respectfully,

Adam Phillip Churvis
Certified Advanced ColdFusion MX 7 Developer
BlueDragon Alliance Founding Committee



Get advanced intensive Master-level training in
C# & ASP.NET 2.0 for ColdFusion Developers at
ProductivityEnhancement.com

  - Original Message - 
  From: wolf2k5 
  To: CF-Talk 
  Sent: Saturday, March 25, 2006 5:02 AM
  Subject: Re: cflogin and load balancing


  On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
  > If I'm not mistaken, *authorization* (not authentication) can't work across 
multiple CF servers -- clustered or not -- because there's no mechanism for 
specifying *roles* on any computer other than the one on which CFLOGINUSER was 
executed.

  But if the cflogin cookie is there, the second server will
  automatically execute the cflogin/cfloginuser code, effectively
  re-logging in the user and re-assigning him the roles automatically.

  Besides the security concerns (username/password in the cookie), that
  can be somewhat mitigated using HTTPS, do you see any other issue with
  this?

  Thanks.

  

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236218
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
> If I'm not mistaken, *authorization* (not authentication) can't work across 
> multiple CF servers -- clustered or not -- because there's no mechanism for 
> specifying *roles* on any computer other than the one on which CFLOGINUSER 
> was executed.

But if the cflogin cookie is there, the second server will
automatically execute the cflogin/cfloginuser code, effectively
re-logging in the user and re-assigning him the roles automatically.

Besides the security concerns (username/password in the cookie), that
can be somewhat mitigated using HTTPS, do you see any other issue with
this?

Thanks.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236202
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Adam Churvis]

If I'm not mistaken, *authorization* (not authentication) can't work across 
multiple CF servers -- clustered or not -- because there's no mechanism for 
specifying *roles* on any computer other than the one on which CFLOGINUSER was 
executed.  

It doesn't matter whether you're using cookies or session (with proper session 
syndication in place) because the cookie contains only the username, password, 
and application name -- no roles.  Which is another reason why you want to use 
loginStorage="Session", as the cookie is not encrypted (it's only Base64 
encoded).

BlueDragon, however, *does* handle all authentication and authorization 
properly across servers with the CFLOGIN framework.
Respectfully,

Adam Phillip Churvis
Certified Advanced ColdFusion MX 7 Developer
BlueDragon Alliance Founding Committee



Get advanced intensive Master-level training in
C# & ASP.NET for ColdFusion Developers at
ProductivityEnhancement.com

  - Original Message - 
  From: wolf2k5 
  To: CF-Talk 
  Sent: Friday, March 24, 2006 4:26 PM
  Subject: Re: cflogin and load balancing


  On 3/23/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
  > ColdFusion Server is broken with respect to the CFLOGIN security framework
  > working on a clustered system with failover.  The reason is that the
  > authentication cookie contains the authentication information but not any
  > authorization (roles) information.  The authorization information is stored
  > locally only on the server on which CFLOGINUSER was called, but not in the
  > Session scope, so this information never gets synidcated to the other
  > machines.

  Setting cflogin to use cookies appears to work fine with multiple non
  clustered CF servers.

  Cheers.

  

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236192
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/23/06, Adam Churvis <[EMAIL PROTECTED]> wrote:
> ColdFusion Server is broken with respect to the CFLOGIN security framework
> working on a clustered system with failover.  The reason is that the
> authentication cookie contains the authentication information but not any
> authorization (roles) information.  The authorization information is stored
> locally only on the server on which CFLOGINUSER was called, but not in the
> Session scope, so this information never gets synidcated to the other
> machines.

Setting cflogin to use cookies appears to work fine with multiple non
clustered CF servers.

Cheers.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236189
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> But I still wonder why the cflogin cookie includes the full login info
> (username/password base64 encoded), what does it need to then?

I stand corrected again!

I did further testing and the cflogin/cfloginuser code will
automatically login the user on the second server if the user has the
cflogin cookie from the first server.

It looks like using cflogin (set to use cookies) correctly will work
for my setup with mutiple servers not clustered, even if it's not very
secure (since the cookie includes the username/password).

Regards.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236187
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/23/06, Jochem van Dieten <[EMAIL PROTECTED]> wrote:
> If you have the username and password, why don't you log him in
> yourself?

What do you mean?

Thanks.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236118
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Jochem van Dieten]

wolf2k5 wrote:
> 
> I take this back: I did better testing and the user is NOT
> automatically logged into the second server.
> 
> Basically there is a cflogin limitation with simple DNS round robin
> load balancing (no clustering) on multiple web servers: the login
> session isn't shared between the multiple web servers (even if the
> cflogin cookie contains the full username/password info, that would be
> sufficient to automatically re-authenticate the user behind the scenes
> on another server), apparently, besides the cflogin cookie on the
> client, each CF server maintains its own internal state of the
> logins/logouts sessions.
> 
> What would be the better/easiest way of managing a logins on a load
> balanced application w/o clustering the CF instances?

If you have the username and password, why don't you log him in 
yourself?

Jochem

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236086
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[Adam Churvis]

Folks,

ColdFusion Server is broken with respect to the CFLOGIN security framework
working on a clustered system with failover.  The reason is that the
authentication cookie contains the authentication information but not any
authorization (roles) information.  The authorization information is stored
locally only on the server on which CFLOGINUSER was called, but not in the
Session scope, so this information never gets synidcated to the other
machines.

This is the reason why we've switched to BlueDragon.NET.  When we discovered
this issue on our hardware load balanced cluster in our load testing lab, we
contacted New Atlanta and within *hours* they sent us a new build that
solved the problem (it's also in their two previous hotfixes).  So unless
I've missed something in the latest build of the Adobe product,
BlueDragon.NET (and I believe its other flavors, too) is the only CFML
processor that works on a cluster with failover at the present time.

BTW, we also use ScaleOut StateServer as the session syndication mechanism,
which lets us scale *way* out without loss of performance.

Respectfully,

Adam Phillip Churvis
Certified Advanced ColdFusion MX 7 Developer
http://www.ProductivityEnhancement.com

Download Plum and other cool development tools,
and get advanced intensive Master-level training:

* C# & ASP.NET for ColdFusion Developers
* ColdFusion MX Master Class
* Advanced Development with CFMX and SQL Server 2000

- Original Message - 
From: "wolf2k5" <[EMAIL PROTECTED]>
To: "CF-Talk" 
Sent: Thursday, March 23, 2006 12:56 PM
Subject: Re: cflogin and load balancing


> On 3/23/06, Dave Watts <[EMAIL PROTECTED]> wrote:
> > Yeah, I didn't get around to testing this, but I would have really been
> > surprised if this were true.
>
> But I still wonder why the cflogin cookie includes the full login info
> (username/password base64 encoded), what does it need to then?
>
> > Build your own login mechanism and have it store information in the
> > database. You could do this using the Client scope or just write the
whole
> > thing yourself.
>
> I think I'll go with the Client scope, anything I should pay attention
> to to make sure the application is secure and works well?
>
> Thanks.
>
> 

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236075
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/23/06, Dave Watts <[EMAIL PROTECTED]> wrote:
> Yeah, I didn't get around to testing this, but I would have really been
> surprised if this were true.

But I still wonder why the cflogin cookie includes the full login info
(username/password base64 encoded), what does it need to then?

> Build your own login mechanism and have it store information in the
> database. You could do this using the Client scope or just write the whole
> thing yourself.

I think I'll go with the Client scope, anything I should pay attention
to to make sure the application is secure and works well?

Thanks.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236068
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

RE: cflogin and load balancing

[Dave Watts]

> I take this back: I did better testing and the user is NOT 
> automatically logged into the second server.

Yeah, I didn't get around to testing this, but I would have really been
surprised if this were true.

> What would be the better/easiest way of managing a logins on 
> a load balanced application w/o clustering the CF instances?

Build your own login mechanism and have it store information in the
database. You could do this using the Client scope or just write the whole
thing yourself.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!


~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236051
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[James Holmes]

A hardware load balancer that provides for sticky sessions will work,
if you can afford it.

On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> > To reply to my own question: it looks like that the cflogin cookie
> > includes the username/password info (I think it's base64 encoded),
> > when jumping from one server to another, the user is already logged
> > into the second server.
>
> I take this back: I did better testing and the user is NOT
> automatically logged into the second server.
>
> Basically there is a cflogin limitation with simple DNS round robin
> load balancing (no clustering) on multiple web servers: the login
> session isn't shared between the multiple web servers (even if the
> cflogin cookie contains the full username/password info, that would be
> sufficient to automatically re-authenticate the user behind the scenes
> on another server), apparently, besides the cflogin cookie on the
> client, each CF server maintains its own internal state of the
> logins/logouts sessions.
>
> What would be the better/easiest way of managing a logins on a load
> balanced application w/o clustering the CF instances?
>
> I used the session word to mean login sessions, not CF session variables.

--
CFAJAX docs and other useful articles:
http://jr-holmes.coldfusionjournal.com/

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236028
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> To reply to my own question: it looks like that the cflogin cookie
> includes the username/password info (I think it's base64 encoded),
> when jumping from one server to another, the user is already logged
> into the second server.

I take this back: I did better testing and the user is NOT
automatically logged into the second server.

Basically there is a cflogin limitation with simple DNS round robin
load balancing (no clustering) on multiple web servers: the login
session isn't shared between the multiple web servers (even if the
cflogin cookie contains the full username/password info, that would be
sufficient to automatically re-authenticate the user behind the scenes
on another server), apparently, besides the cflogin cookie on the
client, each CF server maintains its own internal state of the
logins/logouts sessions.

What would be the better/easiest way of managing a logins on a load
balanced application w/o clustering the CF instances?

I used the session word to mean login sessions, not CF session variables.

Thanks.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236025
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> Now I'm hitting a weird issue with cflogin, someontimes after using my
> app for a few time, I'm logged out automatically, I cannot reproduce
> the issue in a consistent way, but it happens once in a while.

BTW, I'm on ColdFusion MX 6.1 Updater (6,1,0,83762).

Thanks.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235995
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/21/06, wolf2k5 <[EMAIL PROTECTED]> wrote:
> That's exactly what I'm wondering: does the cflogin cookie include all
> the info (username/password) needed to (automatically)
> (re)authenticate the user on a server if he previously authenticated
> on another server?

To reply to my own question: it looks like that the cflogin cookie
includes the username/password info (I think it's base64 encoded),
when jumping from one server to another, the user is already logged
into the second server.

Now I'm hitting a weird issue with cflogin, someontimes after using my
app for a few time, I'm logged out automatically, I cannot reproduce
the issue in a consistent way, but it happens once in a while.

Any idea?

Thanks.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235994
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: cflogin and load balancing

[wolf2k5]

On 3/21/06, Dave Watts <[EMAIL PROTECTED]> wrote:
> If you use round-robin DNS, it is unlikely that the user will be sent to one
> server, then another. When the user attempts to connect initially, the DNS
> server will issue one IP address, and that IP address will be cached for
> some time by the client. Even if that first server fails, the user will not
> be sent to another server.

Most probably we'll be using a very low TTL, so there is a chance that
an user will hit jump from a server to another: even if most browsers
just cache the IP address and ignore the TTL, that may be not true for
all.

> Aside from that, though, I don't think there's any way to share CFLOGIN data
> without associating it with the Session scope, and sharing that across the
> servers. This would require CF clustering. When you use the CFLOGIN tag, it
> does write a cookie which contains something, but I don't know if it
> contains everything that is set by CFLOGINUSER.

That's exactly what I'm wondering: does the cflogin cookie include all
the info (username/password) needed to (automatically)
(re)authenticate the user on a server if he previously authenticated
on another server? Anyone tried this?

Thanks.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235907
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

RE: cflogin and load balancing

[Dave Watts]

> The user will have to login, before being able to use any 
> feature of the application.
> 
> I was thinking to use the CF security framework (cflogin, 
> etc.) to manage authentication and authorization for my 
> application.
> 
> Most probably the application will reside on several web 
> servers and the load balancing technique will be simple DNS 
> round robin.
> 
> So there is chance that an user will login to server1 and his 
> next request will be to server2.
> 
> I think that server2 won't automatically figure out that the 
> user already logged in on server1 and it will require him to 
> login again.
> 
> What is the easiest way to have the all servers share the 
> cflogin info and prevent re-login when jumping from one 
> server to another?
> 
> This is a very simple application and I'd prefer to avoid 
> full blown CF clustering if possible.

If you use round-robin DNS, it is unlikely that the user will be sent to one
server, then another. When the user attempts to connect initially, the DNS
server will issue one IP address, and that IP address will be cached for
some time by the client. Even if that first server fails, the user will not
be sent to another server.

Aside from that, though, I don't think there's any way to share CFLOGIN data
without associating it with the Session scope, and sharing that across the
servers. This would require CF clustering. When you use the CFLOGIN tag, it
does write a cookie which contains something, but I don't know if it
contains everything that is set by CFLOGINUSER.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!


~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235885
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54