RE: cflogin and load balancing
Dave, Do you mean when using NLBS (the windows clustering solution)? I was under the impression that it could not do this. -Mark -Original Message- From: Dave Ross [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 24, 2006 6:12 PM To: CF-Talk Subject: Re: cflogin and load balancing Win2k3 will do sticky sessions when clustered using NLB -Dave >A hardware load balancer that provides for sticky sessions will work, >if you can afford it. > >On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > >-- >CFAJAX docs and other useful articles: >http://jr-holmes.coldfusionjournal.com/ ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241427 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Win2k3 will do sticky sessions when clustered using NLB -Dave >A hardware load balancer that provides for sticky sessions will work, >if you can afford it. > >On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > >-- >CFAJAX docs and other useful articles: >http://jr-holmes.coldfusionjournal.com/ ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241383 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Just to complete this thread, since it's been linked to by several folks: One customer in particular had issues ad we walked them through their code issues. In particular, the following problems were found that prevented CFLOGIN working in a clustered environment: - There are nested cflogin tags. Resolution: Remove the cflogin code in login.cfm - CFLoginUser is not executed in onRequestStart. Resolution: do user validation in onRequestStart instead of in login.cfm - Checking a session variable (which is replicated in a cluster) to decide if login code should be executed. Resolution: Donât do this; always check if the cflogin scope exists (see docs and sample code). Here is some example code, note that this is onRequest, not onRequestStart. Either will work. select u.userid from users u where username = and password = For more sample CFLOGIN code, see the CF Developers Guide: http://livedocs.macromedia.com/coldfusion/7/htmldocs/1181.htm HTH Damon >On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: >> But I still wonder why the cflogin cookie includes the full login info >> (username/password base64 encoded), what does it need to then? > >I stand corrected again! > >I did further testing and the cflogin/cfloginuser code will >automatically login the user on the second server if the user has the >cflogin cookie from the first server. > >It looks like using cflogin (set to use cookies) correctly will work >for my setup with mutiple servers not clustered, even if it's not very >secure (since the cookie includes the username/password). > >Regards. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241364 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
nope and nope. I've setup JAAS in JRun, seems to work fine. In fact I setup a serverwide SSO solution using JAAS where CF can interface with it simply. DK On 3/28/06, Andy Allan <[EMAIL PROTECTED]> wrote: > Isn't cflogin already based on JAAS? The CF (or indeed JRun) > implementation just happens to be botched? > > Andy > > On 28/03/06, Douglas Knudsen <[EMAIL PROTECTED]> wrote: > > I've been wondering why the CF team has not switched over to using > > J2EE security. A rewrite of cflogin code that can use JAAS would be > > just swell and allow integration with non CF J2EE products without > > messing with web.xml files and such, eh? > > > > DK > > > > On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > > > On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > > > > It doesn't work that way. Since your CFLOGINUSER call is inside a > > > > CFLOGIN call, that CFLOGIN call *won't* run when the second server sees > > > > your authentication cookie because CFLOGIN only runs when you are *not* > > > > authenticated. > > > > > > Actually, according to my testing (ColdFusion 6.1 with the Updater), > > > when the second server sees the cflogin cookie, it will automatically > > > run the cflogin/cfloginuser code and authenticate/authorize the user. > > > > > > Can anyone verify this with ColdFusion MX 7? > > > > > > Thanks. > > > > > > > > > > > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236320 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Isn't cflogin already based on JAAS? The CF (or indeed JRun) implementation just happens to be botched? Andy On 28/03/06, Douglas Knudsen <[EMAIL PROTECTED]> wrote: > I've been wondering why the CF team has not switched over to using > J2EE security. A rewrite of cflogin code that can use JAAS would be > just swell and allow integration with non CF J2EE products without > messing with web.xml files and such, eh? > > DK > > On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > > On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > > > It doesn't work that way. Since your CFLOGINUSER call is inside a > > > CFLOGIN call, that CFLOGIN call *won't* run when the second server sees > > > your authentication cookie because CFLOGIN only runs when you are *not* > > > authenticated. > > > > Actually, according to my testing (ColdFusion 6.1 with the Updater), > > when the second server sees the cflogin cookie, it will automatically > > run the cflogin/cfloginuser code and authenticate/authorize the user. > > > > Can anyone verify this with ColdFusion MX 7? > > > > Thanks. > > > > > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236305 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
I've been wondering why the CF team has not switched over to using J2EE security. A rewrite of cflogin code that can use JAAS would be just swell and allow integration with non CF J2EE products without messing with web.xml files and such, eh? DK On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > > It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN > > call, that CFLOGIN call *won't* run when the second server sees your > > authentication cookie because CFLOGIN only runs when you are *not* > > authenticated. > > Actually, according to my testing (ColdFusion 6.1 with the Updater), > when the second server sees the cflogin cookie, it will automatically > run the cflogin/cfloginuser code and authenticate/authorize the user. > > Can anyone verify this with ColdFusion MX 7? > > Thanks. > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236287 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN > call, that CFLOGIN call *won't* run when the second server sees your > authentication cookie because CFLOGIN only runs when you are *not* > authenticated. Actually, according to my testing (ColdFusion 6.1 with the Updater), when the second server sees the cflogin cookie, it will automatically run the cflogin/cfloginuser code and authenticate/authorize the user. Can anyone verify this with ColdFusion MX 7? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236233 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > And one more thing... SSL really doesn't matter because you're not going to > use it everywhere on your site, only in some places, so everywhere else that > doesn't use SSL is still exposed. The whole application will use HTTPS. Regards. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236231 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Jochem, IMHO, having to explicitly test faux credentials on every request and logout/login each time you hit a new server in the cluster is a kludge at best. And I don't mean this as a criticism of you at all -- I highly respect your work; it's a criticism of Macromedia/Adobe for letting this problem go on for so long. Why doesn't Adobe just fix CFLOGIN? Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: Jochem van Dieten To: CF-Talk Sent: Sunday, March 26, 2006 4:34 PM Subject: Re: cflogin and load balancing Adam Churvis wrote: > It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN call, that CFLOGIN call *won't* run when the second server sees your authentication cookie because CFLOGIN only runs when you are *not* authenticated. So what you do is assign one standard role to everyone. When the user is logged in but does not have that role assigned, you log him out and in again. Role assignments get executed again on the cfloginuser and the user gets his roles. Bit clumsy, but it works. Jochem ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236226 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Adam Churvis wrote: > It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN > call, that CFLOGIN call *won't* run when the second server sees your > authentication cookie because CFLOGIN only runs when you are *not* > authenticated. So what you do is assign one standard role to everyone. When the user is logged in but does not have that role assigned, you log him out and in again. Role assignments get executed again on the cfloginuser and the user gets his roles. Bit clumsy, but it works. Jochem ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236225 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
> And one more thing... SSL really doesn't matter because you're not going to > use it everywhere... As in, "SSL really doesn't matter with respect to your assumption that it somewhat mitigates the security concerns about cookie values being exposed." Of course SSL matters with respect to just about everything else. :) Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: Adam Churvis To: CF-Talk Sent: Sunday, March 26, 2006 1:18 PM Subject: Re: cflogin and load balancing And one more thing... SSL really doesn't matter because you're not going to use it everywhere on your site, only in some places, so everywhere else that doesn't use SSL is still exposed. You should always use loginStorage="Session" and combine this with a solid session syndication mechanism. If you're running BlueDragon.NET then your best bet is ScaleOut StateServer. The built-in freebie state server that comes with Windows craps out around three machines in most cases. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: wolf2k5 To: CF-Talk Sent: Saturday, March 25, 2006 5:02 AM Subject: Re: cflogin and load balancing On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236220 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
And one more thing... SSL really doesn't matter because you're not going to use it everywhere on your site, only in some places, so everywhere else that doesn't use SSL is still exposed. You should always use loginStorage="Session" and combine this with a solid session syndication mechanism. If you're running BlueDragon.NET then your best bet is ScaleOut StateServer. The built-in freebie state server that comes with Windows craps out around three machines in most cases. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: wolf2k5 To: CF-Talk Sent: Saturday, March 25, 2006 5:02 AM Subject: Re: cflogin and load balancing On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236219 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN call, that CFLOGIN call *won't* run when the second server sees your authentication cookie because CFLOGIN only runs when you are *not* authenticated. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: wolf2k5 To: CF-Talk Sent: Saturday, March 25, 2006 5:02 AM Subject: Re: cflogin and load balancing On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236218 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across > multiple CF servers -- clustered or not -- because there's no mechanism for > specifying *roles* on any computer other than the one on which CFLOGINUSER > was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236202 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. It doesn't matter whether you're using cookies or session (with proper session syndication in place) because the cookie contains only the username, password, and application name -- no roles. Which is another reason why you want to use loginStorage="Session", as the cookie is not encrypted (it's only Base64 encoded). BlueDragon, however, *does* handle all authentication and authorization properly across servers with the CFLOGIN framework. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: wolf2k5 To: CF-Talk Sent: Friday, March 24, 2006 4:26 PM Subject: Re: cflogin and load balancing On 3/23/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > ColdFusion Server is broken with respect to the CFLOGIN security framework > working on a clustered system with failover. The reason is that the > authentication cookie contains the authentication information but not any > authorization (roles) information. The authorization information is stored > locally only on the server on which CFLOGINUSER was called, but not in the > Session scope, so this information never gets synidcated to the other > machines. Setting cflogin to use cookies appears to work fine with multiple non clustered CF servers. Cheers. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236192 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/23/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > ColdFusion Server is broken with respect to the CFLOGIN security framework > working on a clustered system with failover. The reason is that the > authentication cookie contains the authentication information but not any > authorization (roles) information. The authorization information is stored > locally only on the server on which CFLOGINUSER was called, but not in the > Session scope, so this information never gets synidcated to the other > machines. Setting cflogin to use cookies appears to work fine with multiple non clustered CF servers. Cheers. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236189 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > But I still wonder why the cflogin cookie includes the full login info > (username/password base64 encoded), what does it need to then? I stand corrected again! I did further testing and the cflogin/cfloginuser code will automatically login the user on the second server if the user has the cflogin cookie from the first server. It looks like using cflogin (set to use cookies) correctly will work for my setup with mutiple servers not clustered, even if it's not very secure (since the cookie includes the username/password). Regards. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236187 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/23/06, Jochem van Dieten <[EMAIL PROTECTED]> wrote: > If you have the username and password, why don't you log him in > yourself? What do you mean? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236118 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
wolf2k5 wrote: > > I take this back: I did better testing and the user is NOT > automatically logged into the second server. > > Basically there is a cflogin limitation with simple DNS round robin > load balancing (no clustering) on multiple web servers: the login > session isn't shared between the multiple web servers (even if the > cflogin cookie contains the full username/password info, that would be > sufficient to automatically re-authenticate the user behind the scenes > on another server), apparently, besides the cflogin cookie on the > client, each CF server maintains its own internal state of the > logins/logouts sessions. > > What would be the better/easiest way of managing a logins on a load > balanced application w/o clustering the CF instances? If you have the username and password, why don't you log him in yourself? Jochem ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236086 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Folks, ColdFusion Server is broken with respect to the CFLOGIN security framework working on a clustered system with failover. The reason is that the authentication cookie contains the authentication information but not any authorization (roles) information. The authorization information is stored locally only on the server on which CFLOGINUSER was called, but not in the Session scope, so this information never gets synidcated to the other machines. This is the reason why we've switched to BlueDragon.NET. When we discovered this issue on our hardware load balanced cluster in our load testing lab, we contacted New Atlanta and within *hours* they sent us a new build that solved the problem (it's also in their two previous hotfixes). So unless I've missed something in the latest build of the Adobe product, BlueDragon.NET (and I believe its other flavors, too) is the only CFML processor that works on a cluster with failover at the present time. BTW, we also use ScaleOut StateServer as the session syndication mechanism, which lets us scale *way* out without loss of performance. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer http://www.ProductivityEnhancement.com Download Plum and other cool development tools, and get advanced intensive Master-level training: * C# & ASP.NET for ColdFusion Developers * ColdFusion MX Master Class * Advanced Development with CFMX and SQL Server 2000 - Original Message - From: "wolf2k5" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Thursday, March 23, 2006 12:56 PM Subject: Re: cflogin and load balancing > On 3/23/06, Dave Watts <[EMAIL PROTECTED]> wrote: > > Yeah, I didn't get around to testing this, but I would have really been > > surprised if this were true. > > But I still wonder why the cflogin cookie includes the full login info > (username/password base64 encoded), what does it need to then? > > > Build your own login mechanism and have it store information in the > > database. You could do this using the Client scope or just write the whole > > thing yourself. > > I think I'll go with the Client scope, anything I should pay attention > to to make sure the application is secure and works well? > > Thanks. > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236075 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/23/06, Dave Watts <[EMAIL PROTECTED]> wrote: > Yeah, I didn't get around to testing this, but I would have really been > surprised if this were true. But I still wonder why the cflogin cookie includes the full login info (username/password base64 encoded), what does it need to then? > Build your own login mechanism and have it store information in the > database. You could do this using the Client scope or just write the whole > thing yourself. I think I'll go with the Client scope, anything I should pay attention to to make sure the application is secure and works well? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236068 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: cflogin and load balancing
> I take this back: I did better testing and the user is NOT > automatically logged into the second server. Yeah, I didn't get around to testing this, but I would have really been surprised if this were true. > What would be the better/easiest way of managing a logins on > a load balanced application w/o clustering the CF instances? Build your own login mechanism and have it store information in the database. You could do this using the Client scope or just write the whole thing yourself. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236051 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
A hardware load balancer that provides for sticky sessions will work, if you can afford it. On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > > To reply to my own question: it looks like that the cflogin cookie > > includes the username/password info (I think it's base64 encoded), > > when jumping from one server to another, the user is already logged > > into the second server. > > I take this back: I did better testing and the user is NOT > automatically logged into the second server. > > Basically there is a cflogin limitation with simple DNS round robin > load balancing (no clustering) on multiple web servers: the login > session isn't shared between the multiple web servers (even if the > cflogin cookie contains the full username/password info, that would be > sufficient to automatically re-authenticate the user behind the scenes > on another server), apparently, besides the cflogin cookie on the > client, each CF server maintains its own internal state of the > logins/logouts sessions. > > What would be the better/easiest way of managing a logins on a load > balanced application w/o clustering the CF instances? > > I used the session word to mean login sessions, not CF session variables. -- CFAJAX docs and other useful articles: http://jr-holmes.coldfusionjournal.com/ ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236028 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > To reply to my own question: it looks like that the cflogin cookie > includes the username/password info (I think it's base64 encoded), > when jumping from one server to another, the user is already logged > into the second server. I take this back: I did better testing and the user is NOT automatically logged into the second server. Basically there is a cflogin limitation with simple DNS round robin load balancing (no clustering) on multiple web servers: the login session isn't shared between the multiple web servers (even if the cflogin cookie contains the full username/password info, that would be sufficient to automatically re-authenticate the user behind the scenes on another server), apparently, besides the cflogin cookie on the client, each CF server maintains its own internal state of the logins/logouts sessions. What would be the better/easiest way of managing a logins on a load balanced application w/o clustering the CF instances? I used the session word to mean login sessions, not CF session variables. Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236025 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > Now I'm hitting a weird issue with cflogin, someontimes after using my > app for a few time, I'm logged out automatically, I cannot reproduce > the issue in a consistent way, but it happens once in a while. BTW, I'm on ColdFusion MX 6.1 Updater (6,1,0,83762). Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235995 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/21/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > That's exactly what I'm wondering: does the cflogin cookie include all > the info (username/password) needed to (automatically) > (re)authenticate the user on a server if he previously authenticated > on another server? To reply to my own question: it looks like that the cflogin cookie includes the username/password info (I think it's base64 encoded), when jumping from one server to another, the user is already logged into the second server. Now I'm hitting a weird issue with cflogin, someontimes after using my app for a few time, I'm logged out automatically, I cannot reproduce the issue in a consistent way, but it happens once in a while. Any idea? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235994 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/21/06, Dave Watts <[EMAIL PROTECTED]> wrote: > If you use round-robin DNS, it is unlikely that the user will be sent to one > server, then another. When the user attempts to connect initially, the DNS > server will issue one IP address, and that IP address will be cached for > some time by the client. Even if that first server fails, the user will not > be sent to another server. Most probably we'll be using a very low TTL, so there is a chance that an user will hit jump from a server to another: even if most browsers just cache the IP address and ignore the TTL, that may be not true for all. > Aside from that, though, I don't think there's any way to share CFLOGIN data > without associating it with the Session scope, and sharing that across the > servers. This would require CF clustering. When you use the CFLOGIN tag, it > does write a cookie which contains something, but I don't know if it > contains everything that is set by CFLOGINUSER. That's exactly what I'm wondering: does the cflogin cookie include all the info (username/password) needed to (automatically) (re)authenticate the user on a server if he previously authenticated on another server? Anyone tried this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235907 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: cflogin and load balancing
> The user will have to login, before being able to use any > feature of the application. > > I was thinking to use the CF security framework (cflogin, > etc.) to manage authentication and authorization for my > application. > > Most probably the application will reside on several web > servers and the load balancing technique will be simple DNS > round robin. > > So there is chance that an user will login to server1 and his > next request will be to server2. > > I think that server2 won't automatically figure out that the > user already logged in on server1 and it will require him to > login again. > > What is the easiest way to have the all servers share the > cflogin info and prevent re-login when jumping from one > server to another? > > This is a very simple application and I'd prefer to avoid > full blown CF clustering if possible. If you use round-robin DNS, it is unlikely that the user will be sent to one server, then another. When the user attempts to connect initially, the DNS server will issue one IP address, and that IP address will be cached for some time by the client. Even if that first server fails, the user will not be sent to another server. Aside from that, though, I don't think there's any way to share CFLOGIN data without associating it with the Session scope, and sharing that across the servers. This would require CF clustering. When you use the CFLOGIN tag, it does write a cookie which contains something, but I don't know if it contains everything that is set by CFLOGINUSER. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235885 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54