Re: IE & Cflogin
The idletimeout is part of the cflogin tag and it's separate from the session timeout. If it's longer than or the same as the session timeout it will expire with the session in this case as the loginstorage specified in the OP was "session." If it's shorter than the session timeout, the login will expire even though the session doesn't. mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/5/15 Ian Skinner : > > Brian Bradley wrote: >> To make sure that I have this down (I have to present this today). Using >> cflogin, the idletimeout is 30 minutes so IE will keep the user logged in >> for the 30 minutes or whatever time I adjust it to. I can set a cookie that >> will keep the user logged in indefinitely with if statements, etc. > No that is not it. The idletimeout means that ColdFusion will keep a > session alive for 30 minutes waiting for another request to come in with > the session identifier that is usually stored in a cookie. If no new > request comes in in that time period the session will be deleted and > ColdFusion will not return the data if the session identifier comes in > at a later time. The session cookies in IE or any browser can actually > be set to never expire, but if a request is not sent to the ColdFusion > server in the 30 minute window the session state on the server will be ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322561 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IE & Cflogin
To make sure that I have this down (I have to present this today). Using cflogin, the idletimeout is 30 minutes so IE will keep the user logged in for the 30 minutes or whatever time I adjust it to. I can set a cookie that will keep the user logged in indefinitely with if statements, etc. What are the advantages of using cflogin and cfloginuser as opposed to just doing a database query and setting a session variable just by using a form and cfset? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322551 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IE & Cflogin
Brian Bradley wrote: > To make sure that I have this down (I have to present this today). Using > cflogin, the idletimeout is 30 minutes so IE will keep the user logged in for > the 30 minutes or whatever time I adjust it to. I can set a cookie that will > keep the user logged in indefinitely with if statements, etc. No that is not it. The idletimeout means that ColdFusion will keep a session alive for 30 minutes waiting for another request to come in with the session identifier that is usually stored in a cookie. If no new request comes in in that time period the session will be deleted and ColdFusion will not return the data if the session identifier comes in at a later time. The session cookies in IE or any browser can actually be set to never expire, but if a request is not sent to the ColdFusion server in the 30 minute window the session state on the server will be gone. > > > What are the advantages of using cflogin and cfloginuser as opposed to just > doing a database query and setting a session variable just by using a form > and cfset - it would seem to me that I would have more control over timeouts, > etc. that way? Is there increased security behind the cflogin tag? > cflogin and cfloginuser are just quick and simple way of doing a database query and setting a session variable and it generally uses the same underlining technologies. They just give the developer a tool to use that does not have to be built from the ground up every time. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322550 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IE & Cflogin
To make sure that I have this down (I have to present this today). Using cflogin, the idletimeout is 30 minutes so IE will keep the user logged in for the 30 minutes or whatever time I adjust it to. I can set a cookie that will keep the user logged in indefinitely with if statements, etc. What are the advantages of using cflogin and cfloginuser as opposed to just doing a database query and setting a session variable just by using a form and cfset - it would seem to me that I would have more control over timeouts, etc. that way? Is there increased security behind the cflogin tag? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322547 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IE & Cflogin
Oops, hit the enter key accidentally... Brian, Can you turn on Debugging and have it show all of the variables scopes? This might help you figure out where the session id is coming from. Pay particular attention to the cookie scope. Also, check your Application.cfm/cfc for ClientManagement. Is it enabled? If it is, ColdFusion will create cookies and pass in the session id as a token to the cookie, which can cause sessions to be available to IE when you reopen the browser (I've had this happen to me before). If you aren't using client variables in your application, make sure you set ClientManagement to false. HTH, Carl > I have Use J2EE Session Variables checked, as well as Enable > Application Variables and Enable Session Variables. I don't have any > code dealing with cookies at this point. Perhaps I have to manipulate > the default and maximum timeout for the Application variables in the > administrator? BTW, I am running MX 6.1. Thanks for your help. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322536 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IE & Cflogin
> It looks like IE is doing something strange, like storing login > fields. Which version of IE is involved? > > mxAjax / CFAjax docs and other useful articles: > http://www.bifrost.com.au/blog/ > > 2009/5/15 Brian Bradley : > > > > I have Use J2EE Session Variables checked, as well as Enable > Application Variables and Enable Session Variables. I don't have any > code dealing with cookies at this point. Perhaps I have to manipulate > the default and maximum timeout for the Application variables in the > administrator? BTW, I am running MX 6.1. Thanks for your h ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322535 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IE & Cflogin
Brian Bradley wrote: > I am confused though. Why is IE ignoring the isDefined? I am saying > isDefined(login) but if that variable hasn't been set why is it ignoring it. > I must be missing something... IE can't ignore the IsDefnind(), it knows nothing about it! This is a client|server thing. You really have to understand and separate what happens on the client and what happens on the server. What you really need to be asking is: "What is IE sending in the request that is allowing the IsDefined() to be true. Either it is sending the proper cookies or get variables to connect to the existing session OR it is sending proper get or form variables to start a new session. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322534 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IE & Cflogin
I am confused though. Why is IE ignoring the isDefined? I am saying isDefined(login) but if that variable hasn't been set why is it ignoring it. I must be missing something... ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322530 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IE & Cflogin
Ian Skinner wrote: > A message with large sections of entire sentances missing... The session *NEVER* ends when the browser closes. The browser does not send some message to all the web sites it has visited telling them it is closing down. If one is using J2EE jsesssionid cookies or one has otherwise configured the cfid and cftoken cookies to be per-session cookies, then the cookies should expire when the browser closes. Thus the client would have to start a new session and get new cookies the next time it makes a request from the ColdFusion server. But the old session has not ended when this happens. It is sitting there, waiting until the session timeout expires, for any new request that might return valid cookies to connect to it. This is an important distinction to understand when dealing with this type of problem. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322525 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IE & Cflogin
James Holmes wrote: > The session will end when the user closes the browser if you've > enabled J2EE sessions in the CF admin or if you've written code to > convert the cookies to be session based. Are either of those things > the case? The session *NEVER* ends when the browser closes. If one is using J2EE or one has otherwise configured the cookies used to identify a client to a session state, the cookies should be expied when the browser closes. Thus the client will have to start a new session and get new cookies the next time it connect. But the old session has not ended. It is sitting their, waiting until the session timeout expires, for any new request that might return valid cookies to connect to it. This is an important distinction to understand when dealing with this type of problem. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322523 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IE & Cflogin
IE7 & IE8 are both doing it. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322519 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IE & Cflogin
It looks like IE is doing something strange, like storing login fields. Which version of IE is involved? mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/5/15 Brian Bradley : > > I have Use J2EE Session Variables checked, as well as Enable Application > Variables and Enable Session Variables. I don't have any code dealing with > cookies at this point. Perhaps I have to manipulate the default and maximum > timeout for the Application variables in the administrator? BTW, I am > running MX 6.1. Thanks for your h ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322512 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IE & Cflogin
I have Use J2EE Session Variables checked, as well as Enable Application Variables and Enable Session Variables. I don't have any code dealing with cookies at this point. Perhaps I have to manipulate the default and maximum timeout for the Application variables in the administrator? BTW, I am running MX 6.1. Thanks for your help. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322509 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IE & Cflogin
The session will end when the user closes the browser if you've enabled J2EE sessions in the CF admin or if you've written code to convert the cookies to be session based. Are either of those things the case? mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/5/15 Brian Bradley : > > I have an application file that requires users to login prior to accessing > any of the pages in the directory. The first time that a user uses IE, it > works great and they have to log in. However, it doesn't seem to log them > out when they close the browser. The next time they open the browser, and go > to that page, they do not need to log in again. I figured that a session > would end when the browser closes. It works fine in FireFox and Chrome. Do > I need to program that somehow? Thanks in ad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322508 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
IE & Cflogin
I have an application file that requires users to login prior to accessing any of the pages in the directory. The first time that a user uses IE, it works great and they have to log in. However, it doesn't seem to log them out when they close the browser. The next time they open the browser, and go to that page, they do not need to log in again. I figured that a session would end when the browser closes. It works fine in FireFox and Chrome. Do I need to program that somehow? Thanks in advance. CODE: You must enter text in both the User Name and Password fields SELECT * FROM loginTable INNER JOIN IndividualInformation on loginTable.counter=IndividualInformation.counter WHERE IndividualInformation.email = '#cflogin.name#' AND InternetPasswordHash = '#Hash(cflogin.password)#' Your login information is not valid. Please Try again ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322507 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cflogin fails with CF8 when using special chars in UTF-8 encoding
Since it appears to work in one browser but not in others, I'd try troubleshooting by switching from basic auth to using a form so you can capture what was sent by the browser and save it to a file. See if what is being saved out differs between Opera and Firefox. If it is, then the issue would seem to be a client-side setting. If it isn't, then I'm guessing that it has to do with the http auth part of your equation. Judah On Mon, Nov 17, 2008 at 4:54 AM, Markus Wollny <[EMAIL PROTECTED]> wrote: > Hi! > > Sorry for my late answer, I couldn't find the time to pursue this any > earlier.. > > Paul Hastings wrote: >> not really good w/cflogin & you're not showing all your code but i >> always add to any >> unicode pages as well as , etc for >> form & url vars. > > We use the correct page encoding and set a BOM, but I also tried > cfprocessingdirective in addition to everything else, but that didn't work > either. As this is cflogin with HTTP Basic Auth, form variables are not an > issue here. > >> what do you see if you dump out the form vars? what happens if you >> stay w/utf-8 & use another password (like '' or something)? > > As I said, there are no form variables as there is no form. When the password > just contains plain ASCII chars, authentication works fine. > > What's more puzzling: The issue seems to be somehow browser related; using > Opera 9.62, I can login successfully even when I use a password with > non-ASCII chars, but all the other browsers I have tested (i.e. Safari 3.1.2 > for Windows, Internet Explorer 7 and Firefox 3.0.4 for Windows, Safari 3.1 > for Mac OS, Camino 1.5.1Int for Mac and Mozilla 2.0.0.12 for Mac) fail. > > Here's a full standalone example which reproduces this error on my servers: > > > > > >variables.strLogin='foo'; >variables.strPassword='fürth'; >variables.strRealm='Login für diese Seite'; >REQUEST.userAuthenticated = false; > > > > > > eq variables.strPassword> > > > > > "http://www.w3.org/TR/html4/loose.dtd";> > > >CF-Login-Test > > > > > > > Login not successful. > > Login successful. > > > > > > > The page is saved in Unicode (UTF-8) with BOM im DreamWeaver. When I call > this page, I cannot log in. When I change variables.strPassword to something > that only contains ASCII chars (no Umlauts, special chars), I can login. > > We're running ColdFusion 8,0,1,195765 Enterprise 64-bit standalone server > install, Webserver is Debian's Apache 2.2.3-4+etch6. When I cancel > authorisation, I get the following response header with Firefox on Windows: > > Date: Mon, 17 Nov 2008 12:43:38 GMT > Server: Apache/2.2.3 (Debian) PHP/5.2.0-9~computec+2 proxy_html/2.5 > mod_ssl/2.2.3 OpenSSL/0.9.8c JRun/4.0 > Set-Cookie: CFAUTHORIZATION_=;expires=Sat, 17-Nov-2007 12:43:38 GMT;path=/ > WWW-Authenticate: Basic realm="Login für diese Seite" > Content-Language: de-DE > Cache-Control: max-age=0 > Expires: Mon, 17 Nov 2008 12:43:38 GMT > Connection: close > Transfer-Encoding: chunked > Content-Type: text/html; charset=UTF-8 > > 401 Unauthorized > > > If i use a plain ascii password and login successfully, I get the following > response header: > > Date: Mon, 17 Nov 2008 12:45:03 GMT > Server: Apache/2.2.3 (Debian) PHP/5.2.0-9~computec+2 proxy_html/2.5 > mod_ssl/2.2.3 OpenSSL/0.9.8c JRun/4.0 > Set-Cookie: CFAUTHORIZATION_=;expires=Sat, 17-Nov-2007 12:45:03 GMT;path=/ > Content-Language: de-DE > Cache-Control: max-age=0 > Expires: Mon, 17 Nov 2008 12:45:03 GMT > Connection: close > Transfer-Encoding: chunked > Content-Type: text/html; charset=UTF-8 > > 200 OK > > > Any ideas on this? > > Kind regards > > Markus > > > Computec Media AG > Sitz der Gesellschaft und Registergericht: Fürth (HRB 8818) > Vorstandsmitglieder: Johannes S. Gözalan (Vorsitzender) und Rainer Rosenbusch > Vorsitzender des Aufsichtsrates: Jürg Marquard > Umsatzsteuer-Identifikationsnummer: DE 812 575 276 > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:315367 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
AW: cflogin fails with CF8 when using special chars in UTF-8 encoding
Hi! Sorry for my late answer, I couldn't find the time to pursue this any earlier.. Paul Hastings wrote: > not really good w/cflogin & you're not showing all your code but i > always add to any > unicode pages as well as , etc for > form & url vars. We use the correct page encoding and set a BOM, but I also tried cfprocessingdirective in addition to everything else, but that didn't work either. As this is cflogin with HTTP Basic Auth, form variables are not an issue here. > what do you see if you dump out the form vars? what happens if you > stay w/utf-8 & use another password (like '' or something)? As I said, there are no form variables as there is no form. When the password just contains plain ASCII chars, authentication works fine. What's more puzzling: The issue seems to be somehow browser related; using Opera 9.62, I can login successfully even when I use a password with non-ASCII chars, but all the other browsers I have tested (i.e. Safari 3.1.2 for Windows, Internet Explorer 7 and Firefox 3.0.4 for Windows, Safari 3.1 for Mac OS, Camino 1.5.1Int for Mac and Mozilla 2.0.0.12 for Mac) fail. Here's a full standalone example which reproduces this error on my servers: variables.strLogin='foo'; variables.strPassword='fürth'; variables.strRealm='Login für diese Seite'; REQUEST.userAuthenticated = false; http://www.w3.org/TR/html4/loose.dtd";> CF-Login-Test Login not successful. Login successful. The page is saved in Unicode (UTF-8) with BOM im DreamWeaver. When I call this page, I cannot log in. When I change variables.strPassword to something that only contains ASCII chars (no Umlauts, special chars), I can login. We're running ColdFusion 8,0,1,195765 Enterprise 64-bit standalone server install, Webserver is Debian's Apache 2.2.3-4+etch6. When I cancel authorisation, I get the following response header with Firefox on Windows: Date: Mon, 17 Nov 2008 12:43:38 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-9~computec+2 proxy_html/2.5 mod_ssl/2.2.3 OpenSSL/0.9.8c JRun/4.0 Set-Cookie: CFAUTHORIZATION_=;expires=Sat, 17-Nov-2007 12:43:38 GMT;path=/ WWW-Authenticate: Basic realm="Login für diese Seite" Content-Language: de-DE Cache-Control: max-age=0 Expires: Mon, 17 Nov 2008 12:43:38 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 401 Unauthorized If i use a plain ascii password and login successfully, I get the following response header: Date: Mon, 17 Nov 2008 12:45:03 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-9~computec+2 proxy_html/2.5 mod_ssl/2.2.3 OpenSSL/0.9.8c JRun/4.0 Set-Cookie: CFAUTHORIZATION_=;expires=Sat, 17-Nov-2007 12:45:03 GMT;path=/ Content-Language: de-DE Cache-Control: max-age=0 Expires: Mon, 17 Nov 2008 12:45:03 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 200 OK Any ideas on this? Kind regards Markus Computec Media AG Sitz der Gesellschaft und Registergericht: Fürth (HRB 8818) Vorstandsmitglieder: Johannes S. Gözalan (Vorsitzender) und Rainer Rosenbusch Vorsitzender des Aufsichtsrates: Jürg Marquard Umsatzsteuer-Identifikationsnummer: DE 812 575 276 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:315357 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cflogin fails with CF8 when using special chars in UTF-8 encoding
Markus Wollny wrote: > Hi! > > I've got the following code in an included file: not really good w/cflogin & you're not showing all your code but i always add to any unicode pages as well as , etc for form & url vars. > For authentication to work with ColdFusion 8 when the password includes this > special char, we have to save the include file in ISO-8859-1 encoding. This what do you see if you dump out the form vars? what happens if you stay w/utf-8 & use another password (like '' or something)? mangling your encoding maybe tells me your form or whatever vars aren't getting thru as unicode. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:315189 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
cflogin fails with CF8 when using special chars in UTF-8 encoding
Hi! I've got the following code in an included file: Für diesen Bereich benötigst Du spezielle Zugangsdaten. Dein Login war erfolgreich! The site itself is in UTF-8; the include is stored as UTF-8 with BOM. The special char in the password 'fürdich' is correctly encoded as UTF-8. Authentication fails however, the auth-popup is being displayed again and again. The very same thing did work with ColdFusion MX 6.1. For authentication to work with ColdFusion 8 when the password includes this special char, we have to save the include file in ISO-8859-1 encoding. This leads to another problem, though: The 'ü'-character in the "Basic realm"-message is not displayed correctly, there's a ý-character being displayed instead. On the upside, the user can actually log in successfully after entering the password with the umlaut. Any ideas on what's going wrong here? Kind regards Markus Computec Media AG Sitz der Gesellschaft und Registergericht: Fürth (HRB 8818) Vorstandsmitglieder: Johannes S. Gözalan (Vorsitzender) und Rainer Rosenbusch Vorsitzender des Aufsichtsrates: Jürg Marquard Umsatzsteuer-Identifikationsnummer: DE 812 575 276 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:315185 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Keeping people logged in with CFLOGIN
Giving session variables a life time of 30 days seem a little scary, particularly so if you have a large number of users visiting your site. It could take up too much memory on your server. Perhaps consider using client cookie variables to recognize users when they come back is another approach? On Mon, Sep 8, 2008 at 2:17 PM, Philip Kaplan <[EMAIL PROTECTED]> wrote: > I thought I did, but I just checked and 1 of my 2 clustered servers > was set to "2 days" timeout in cfadmin. Still, seems like it's timing > out before 2 days. > > Regardless, I'll change it to 30 days and report back. > > Thanks!! > > On Mon, Sep 8, 2008 at 2:37 AM, Azadi Saryev <[EMAIL PROTECTED]> wrote: > > set appropriate sessiontimeout var value in your application.cfc/cfm or, > > globally, in CF Administrator? > > > > Azadi Saryev > > Sabai-dee.com > > http://www.sabai-dee.com/ > > > > > > > > Philip Kaplan wrote: > >> Hi, > >> > >> My sites use CFLOGIN. > >> > >> I want users to stay logged in forever (or at least for a day) until > >> they physically log out. > >> > >> Problem is, it seems sessions only last for a short time, regardless > >> of how long I set the IDLETIMEOUT parameter. > >> > >> Any tricks for keeping sessions alive? > >> > >> Philip > >> > >> > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312221 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Keeping people logged in with CFLOGIN
I thought I did, but I just checked and 1 of my 2 clustered servers was set to "2 days" timeout in cfadmin. Still, seems like it's timing out before 2 days. Regardless, I'll change it to 30 days and report back. Thanks!! On Mon, Sep 8, 2008 at 2:37 AM, Azadi Saryev <[EMAIL PROTECTED]> wrote: > set appropriate sessiontimeout var value in your application.cfc/cfm or, > globally, in CF Administrator? > > Azadi Saryev > Sabai-dee.com > http://www.sabai-dee.com/ > > > > Philip Kaplan wrote: >> Hi, >> >> My sites use CFLOGIN. >> >> I want users to stay logged in forever (or at least for a day) until >> they physically log out. >> >> Problem is, it seems sessions only last for a short time, regardless >> of how long I set the IDLETIMEOUT parameter. >> >> Any tricks for keeping sessions alive? >> >> Philip >> >> > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312198 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Keeping people logged in with CFLOGIN
oh, and the value you set in your application.cfc/cfm can't be greater than the MAX session timeout set in CF Administrator - the MAX setting in CF Admin will be used anyway. Azadi Saryev Sabai-dee.com http://www.sabai-dee.com/ Philip Kaplan wrote: > Hi, > > My sites use CFLOGIN. > > I want users to stay logged in forever (or at least for a day) until > they physically log out. > > Problem is, it seems sessions only last for a short time, regardless > of how long I set the IDLETIMEOUT parameter. > > Any tricks for keeping sessions alive? > > Philip > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312161 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Keeping people logged in with CFLOGIN
set appropriate sessiontimeout var value in your application.cfc/cfm or, globally, in CF Administrator? Azadi Saryev Sabai-dee.com http://www.sabai-dee.com/ Philip Kaplan wrote: > Hi, > > My sites use CFLOGIN. > > I want users to stay logged in forever (or at least for a day) until > they physically log out. > > Problem is, it seems sessions only last for a short time, regardless > of how long I set the IDLETIMEOUT parameter. > > Any tricks for keeping sessions alive? > > Philip > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312160 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Keeping people logged in with CFLOGIN
Hi, My sites use CFLOGIN. I want users to stay logged in forever (or at least for a day) until they physically log out. Problem is, it seems sessions only last for a short time, regardless of how long I set the IDLETIMEOUT parameter. Any tricks for keeping sessions alive? Philip ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312159 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFLogin, timeout, and querystring
Thanks Chris. I also found a reference with example code at: http://www.tek-tips.com/faqs.cfm?fid=5186 -Original Message- From: Peterson, Chris [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 10:45 AM To: CF-Talk Subject: RE: CFLogin, timeout, and querystring Just write it to a cookie, that's nice and non-sensitive information that a cookie sounds perfect for ;) Or your login form can capture form scope fields, and pass them forward to the search as hidden form entries? Chris Peterson -Original Message- From: Billy Cox [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 11:22 AM To: CF-Talk Subject: CFLogin, timeout, and querystring When a user attempts to do something in my application and they get a login screen instead (due to a timeout), I want the application to remember the query string so that after logging in they can be redirected there. How would I do this in a way that works with cflogin? Billy Cox Old World Spices [EMAIL PROTECTED] ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297578 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFLogin, timeout, and querystring
On the signup form's FORM tag, just put in the CGI.query_string variables for the ACTION attribute. M!ke -Original Message- From: Billy Cox [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 10:22 AM To: CF-Talk Subject: CFLogin, timeout, and querystring When a user attempts to do something in my application and they get a login screen instead (due to a timeout), I want the application to remember the query string so that after logging in they can be redirected there. How would I do this in a way that works with cflogin? Billy Cox Old World Spices [EMAIL PROTECTED] ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297576 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFLogin, timeout, and querystring
Just write it to a cookie, that's nice and non-sensitive information that a cookie sounds perfect for ;) Or your login form can capture form scope fields, and pass them forward to the search as hidden form entries? Chris Peterson -Original Message- From: Billy Cox [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 11:22 AM To: CF-Talk Subject: CFLogin, timeout, and querystring When a user attempts to do something in my application and they get a login screen instead (due to a timeout), I want the application to remember the query string so that after logging in they can be redirected there. How would I do this in a way that works with cflogin? Billy Cox Old World Spices [EMAIL PROTECTED] ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297575 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CFLogin, timeout, and querystring
When a user attempts to do something in my application and they get a login screen instead (due to a timeout), I want the application to remember the query string so that after logging in they can be redirected there. How would I do this in a way that works with cflogin? Billy Cox Old World Spices [EMAIL PROTECTED] ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297573 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Best Place for CFLOGIN in App.cfc
I'm working on moving from application.cfm to application.cfc. I am going to try CF's CFLOGIN logic, but I don't know the best place to put it. I have seen code samples where CFLOGIN was in onRequestStart and I have seen it in onRequest. Does it make any difference where I put CFLOGIN? Thanks M!ke ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:284280 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cflogin
> > This is more or less how Fusebox works, and is a good example of why a framework can be helpful in building an application. Having a separated controller layer makes securing sections of an application easier. Not that you need a framework to achieve MVC separation, but it pretty much forces you to adopt that methodology. > I wouldn't use multiple application.cfc's, you usually need only 1 for > an entire application. Here are some idea's on how to implement this: I also agree that for maintainability, it's best to only have one Application.cfc or .cfm per application. Of course there are times when it can't be avoided, but IMHO it's worth some refactoring to get to a single App.cfc or .cfm. -- Josh ~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:282966 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cflogin
Dave, I wouldn't use multiple application.cfc's, you usually need only 1 for an entire application. Here are some idea's on how to implement this: At the top of each page, include your login code. Make a separate file that contains your tag and your form, then include this only on pages that require authentication. If the user is already logged in, anything between the and wont even be executed, but if they are not logged in they should get your login form. Be sure to at the end of your included login form, before your , so the user does not accidentally get both the login form and your secure content! You could also setup either a table or an array that tells your application if a page requires a login or not, in your application.cfc take a look at the onRequest() tag. Do something like this: There are many many ways to do this, just pick one that works for you (obviously the 2nd one wont work well if you have 200 pages you need to secure). Chris Peterson Gainey IT Adobe Certified Advanced Coldfusion Developer -Original Message- From: Dave Francis [mailto:[EMAIL PROTECTED] Sent: Thursday, July 05, 2007 11:12 AM To: CF-Talk Subject: cflogin Hi, I can't quite get my head around this problem - I want to allow users open access to pages in a "common" sub-folder, but restricted access (based on roles) to other sub-folders. Users shouldn't be asked to Login until they want access to the "restricted" pages. I tried doing it via Application.cfc, but now I'm looking at an application.cfm in each folder that cfincludes a "forceUserLogin.cfm" page, and additionally incorporates a isUserInRoles(). Will this work, or do I need some code in each page? And will Application.cfc still be processed to set my application variables? BTW, I'm running the latest "free" version of Bluedragon Grateful thanks in advance, Dave ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:282962 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cflogin
Dunno about BD, but I usually just use an Application.cfc in the subfolder of the restricted pages. OnRequest() Will ~| ColdFusion 8 beta â Build next generation applications today. Free beta download on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:282960 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
cflogin
Hi, I can't quite get my head around this problem - I want to allow users open access to pages in a "common" sub-folder, but restricted access (based on roles) to other sub-folders. Users shouldn't be asked to Login until they want access to the "restricted" pages. I tried doing it via Application.cfc, but now I'm looking at an application.cfm in each folder that cfincludes a "forceUserLogin.cfm" page, and additionally incorporates a isUserInRoles(). Will this work, or do I need some code in each page? And will Application.cfc still be processed to set my application variables? BTW, I'm running the latest "free" version of Bluedragon Grateful thanks in advance, Dave ~| Macromedia ColdFusion MX7 Upgrade to MX7 & experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:282959 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Session timeouts with ntauthenticate and cflogin
> I using a login script in my Application.cfc that authenticates using > cfntauthenticate to verify username password, then use cflogin to > actually login to the site. I use session variables throughout the > site to determine what users can and can't access. The problem I am > running into is with session time outs and trying to login from more > than one location. For instance, I have session variables set to > time-out after 1 hour. However, the user stays logged into the system > even after the session variables have been trashed, and because of this > the site generates errors unless they actually pass a ?logout=1 parameter > through the URL. Why not associate the CFLOGIN with the session? or its Application.cfc equivalent Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279960 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Session timeouts with ntauthenticate and cflogin
nobody has any ideas? *pouts* Anyone have any links or able to tell me where in the CFWACK or CF Advanced books I should look? I am truly stumped on this. ~Steve Steve Good wrote: > Sorry if anyone's mail to me was bounced back, stupid VPN connection > tricked DynDNS updater for my home network and reported the wrong > external IP. *grumbles* should be fine now though. > > Steve Good > [EMAIL PROTECTED] > Portal Hosting > http://www.lanctr.com > > > > Steve Good wrote: > >> Hi gang, >> >> I using a login script in my Application.cfc that authenticates using >> cfntauthenticate to verify username password, then use cflogin to >> actually login to the site. I use session variables throughout the >> site to determine what users can and can't access. The problem I am >> running into is with session time outs and trying to login from more >> than one location. For instance, I have session variables set to >> time-out after 1 hour. However, the user stays logged into the system >> even after the session variables have been trashed, and because of >> this the site generates errors unless they actually pass a ?logout=1 >> parameter through the URL. >> >> On my old site I was not authenticating against an Active Directory, >> and just using queries to verify login credentials. I had no problems >> with session variables, and if the user was inactive for X number of >> minutes the script would kick them back to the login screen. >> >> How would I do this using cflogin and cfntauthenticate? Below are >> snippets of my Application.cfc. >> >> Thanks for any help in advance! >> >> --Truncated -- >> > > ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279959 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Session timeouts with ntauthenticate and cflogin
Sorry if anyone's mail to me was bounced back, stupid VPN connection tricked DynDNS updater for my home network and reported the wrong external IP. *grumbles* should be fine now though. Steve Good [EMAIL PROTECTED] Portal Hosting http://www.lanctr.com Steve Good wrote: > Hi gang, > > I using a login script in my Application.cfc that authenticates using > cfntauthenticate to verify username password, then use cflogin to > actually login to the site. I use session variables throughout the > site to determine what users can and can't access. The problem I am > running into is with session time outs and trying to login from more > than one location. For instance, I have session variables set to > time-out after 1 hour. However, the user stays logged into the system > even after the session variables have been trashed, and because of > this the site generates errors unless they actually pass a ?logout=1 > parameter through the URL. > > On my old site I was not authenticating against an Active Directory, > and just using queries to verify login credentials. I had no problems > with session variables, and if the user was inactive for X number of > minutes the script would kick them back to the login screen. > > How would I do this using cflogin and cfntauthenticate? Below are > snippets of my Application.cfc. > > Thanks for any help in advance! > > --Truncated -- ~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279895 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Session timeouts with ntauthenticate and cflogin
Hi gang,
I using a login script in my Application.cfc that authenticates using
cfntauthenticate to verify username password, then use cflogin to
actually login to the site. I use session variables throughout the site
to determine what users can and can't access. The problem I am running
into is with session time outs and trying to login from more than one
location. For instance, I have session variables set to time-out after
1 hour. However, the user stays logged into the system even after the
session variables have been trashed, and because of this the site
generates errors unless they actually pass a ?logout=1 parameter through
the URL.
On my old site I was not authenticating against an Active Directory, and
just using queries to verify login credentials. I had no problems with
session variables, and if the user was inactive for X number of minutes
the script would kick them back to the login screen.
How would I do this using cflogin and cfntauthenticate? Below are
snippets of my Application.cfc.
Thanks for any help in advance!
- Application.cfc Snippet -
https://#CGI.SERVER_NAME#/";>
SELECT *
FROM logins
WHERE UserName = '#theusername#'
INSERT INTO logins (UserName, AccountType, CashRec)
VALUES ('#theusername#', 1, 0)
SELECT *
FROM logins
WHERE UserName = '#theusername#'
The password for#theusername#is not correct
Please Try again
The user name#theusername#is not valid
Please Try again
--
Steve Good
[EMAIL PROTECTED]
Portal Hosting
http://www.lanctr.com
~|
Upgrade to Adobe ColdFusion MX7
The most significant release in over 10 years. Upgrade & see new features.
http://www.adobe.com/products/coldfusion?sdid=RVJR
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279893
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cflogin issue with cf7
Does your application name have a space in it? I've seen issues with that before. On 3/19/07, Casey C Cook <[EMAIL PROTECTED]> wrote: > When using the cflogin tag on MX 7 we have to use the following code, > otherwise, we throw a "String index out of range: -1" error. Anyone have > any insight on this ? The error does not appear if we disable netegrity > siteminder rules, which basically say prompt on any folder you hit. > > > value="#SESSION.CFAUTHORIZATION#"> > > Thanks, > CC > x56927 > > > > This is a PRIVATE message. If you are not the intended recipient, please > delete without copying and kindly advise us by e-mail of the mistake in > delivery. NOTE: Regardless of content, this e-mail shall not operate to > bind CSC to any order or other contract unless pursuant to explicit > written agreement or government initiative expressly permitting the use of > e-mail for such purpose. > > > ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273101 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
cflogin issue with cf7
When using the cflogin tag on MX 7 we have to use the following code, otherwise, we throw a "String index out of range: -1" error. Anyone have any insight on this ? The error does not appear if we disable netegrity siteminder rules, which basically say prompt on any folder you hit. Thanks, CC x56927 This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273044 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFlogin in application.cfc-Don't force a login
Remember that the inside of a cflogin block will run when you aren't logged in. For a site where you DEMAND login, then you have code like so: if not logged in: show login form abort To NOT require a login, you simply mod your logic like so if not logged in and this is a protected page: show login form abort Does this make sense? On 2/13/07, Steve Hanzelman <[EMAIL PROTECTED]> wrote: > I am developing an application where I do not want to force users to sign in > unless they actually require access to certain portions of the application. > How can I use cflogin in my application component without that requiring > "users" from logging in when they do not need to do so? > > I have the admin pages/sections blocked with isUserInRole that will then > redirect them to a login page if they need to access that area. > > I guess where I'm confused is that whenever I've used application.cfc and the > cflogin framework in the past, it required users to sign in prior to doing > anything in the application. Now, I only need it for certain pages and am > having a problem. > > The example that is loaded in CFIDE\gettingstarted looks to be what I'm > looking for, but the application.cfc is unreadable. > > Thanks for any feedback, > Steve > > ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269792 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
CFlogin in application.cfc-Don't force a login
I am developing an application where I do not want to force users to sign in unless they actually require access to certain portions of the application. How can I use cflogin in my application component without that requiring "users" from logging in when they do not need to do so? I have the admin pages/sections blocked with isUserInRole that will then redirect them to a login page if they need to access that area. I guess where I'm confused is that whenever I've used application.cfc and the cflogin framework in the past, it required users to sign in prior to doing anything in the application. Now, I only need it for certain pages and am having a problem. The example that is loaded in CFIDE\gettingstarted looks to be what I'm looking for, but the application.cfc is unreadable. Thanks for any feedback, Steve ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269673 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Can cflogin help me block basic http authentication?
Yes you can, here is an example. http://www.peej.co.uk/articles/http-auth-with-html-forms.html Russ -Original Message- From: Jonathan Block [mailto:[EMAIL PROTECTED] Sent: 03 January 2007 23:08 To: CF-Talk Subject: Can cflogin help me block basic http authentication? If I know the username + password for an area of my site that requires basic http auth, can i use a cf tag to preset the authentication credentials that the browser will be passing when the user logs into my site so that when they hit the "locked" pages, that they never see the prompt? Jon ~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:265579 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Can cflogin help me block basic http authentication?
Jonathan Block wrote: > If I know the username + password for an area of my site that requires basic > http auth, can i use a cf tag to preset the authentication credentials that > the browser will be passing when the user logs into my site so that when > they hit the "locked" pages, that they never see the prompt? No. Jochem ~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:265573 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Can cflogin help me block basic http authentication?
If I know the username + password for an area of my site that requires basic http auth, can i use a cf tag to preset the authentication credentials that the browser will be passing when the user logs into my site so that when they hit the "locked" pages, that they never see the prompt? Jon ~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:265570 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Resolved. - Re: CFLogin losing login data
Disregard. I figured it out. BN > Howdy all - > > So I thought I had this login thing worked out, but after an hour of > pulling out my hair I'm stumped. > > In short, I can fill out the login form and submit it. It checks the > DB just fine and CF logs you in just fine. It's when you reach the > bottom of the act_login.cfm template it fails when the CFLOCATION > sends you back where you came from. > > Here's the code out line. > > > Code included for: Application.cfc and act_Login.cfm > > (notes for app flow are in *NOTES in the code) > > First I'll show the Application.cfc so you can see how that's set up. > In short it sets you up as a guest that is a record in the db if you > are not logged in. (for foriegn key needs.) No matter what I try, when > the CFLOCATION tag fires in the act_Login.cfm template, the name="GetNoAuthGuest" in the application.cfc fires. Thus that means > above the query is evaluating to true. ie: > login data was lost in the CFLOCATION. > > In the act_login.cfm file it just takes your data and logs you in or > fails. The DESTINATION var is passed in from where you came from as a > URL so you can get back there. ie: DESTINATION = "http://www.r00t. > com/FileShare/index.cfm" > > Also, the queries have been obscured. > > Thank you to everyone who can give a minute to look this over, I hope > I did a decent job at giving everthing you need to review. > > -- > -- > > Application.cfc - (brief) > -- > > > > > > > > > > > > > > > > RUNS AS IT SHOULD THE FIRST TIME, BUT RUNS THIS EVEN > AFTER LOGIN (CFLOCATION relocation in act_login.cfm) > *** > >dataSource="#request.DATASOURCE#"> > SELECT DATA > FROM TABLE > WHERE UPPER(E.LAST_NAME) = 'CFL GUEST' > > >Password="cfl-guest" > roles="GUEST"> > > > >ListLast(Replace(Replace(UCASE(cgi.AUTH_USER), > "\",",","ALL"),"/",",","ALL"))> > >dataSource="#request.DATASOURCE#"> > SELECT DATA > FROM TABLE > WHERE USER_NAME = '#AUTH_USER#' > > > > >Password="#loginQuery. > password#" roles="#loginQuery.ROLE#"> > > > > >dataSource="#request.DATASOURCE#"> > SELECT DATA > FROM TABLE > WHERE UPPER(E.LAST_NAME) = 'CFL GUEST' > > >Password="cfl-guest" > roles="GUEST"> > > > > > > > > > > act_Login.cfm - > > > > > > You must enter text in both the User Name and Password fields. > > > > > > > > > SELECT DATA > FROM TABLE > WHERE USER = '#J_USERNAME#' > AND PASSWORD = '#J_PASSWORD#' > > > > > >"#loginQuery. > PASSWORD#" roles="#loginQuery.ROLE#"> > > > > Your login information is not valid.Please Try > again > > > > > > > > > THIS IS WHERE IT FAILS TO PASS THE LOGIN INFO ?? > *** > > > > --- ~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:263227 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscr
CFLogin losing login data
Howdy all - So I thought I had this login thing worked out, but after an hour of pulling out my hair I'm stumped. In short, I can fill out the login form and submit it. It checks the DB just fine and CF logs you in just fine. It's when you reach the bottom of the act_login.cfm template it fails when the CFLOCATION sends you back where you came from. Here's the code out line. Code included for: Application.cfc and act_Login.cfm (notes for app flow are in *NOTES in the code) First I'll show the Application.cfc so you can see how that's set up. In short it sets you up as a guest that is a record in the db if you are not logged in. (for foriegn key needs.) No matter what I try, when the CFLOCATION tag fires in the act_Login.cfm template, the above the query is evaluating to true. ie: login data was lost in the CFLOCATION. In the act_login.cfm file it just takes your data and logs you in or fails. The DESTINATION var is passed in from where you came from as a URL so you can get back there. ie: DESTINATION = "http://www.r00t.com/FileShare/index.cfm"; Also, the queries have been obscured. Thank you to everyone who can give a minute to look this over, I hope I did a decent job at giving everthing you need to review. -- -- Application.cfc - (brief) -- RUNS AS IT SHOULD THE FIRST TIME, BUT RUNS THIS EVEN AFTER LOGIN (CFLOCATION relocation in act_login.cfm) *** SELECT DATA FROM TABLE WHERE UPPER(E.LAST_NAME) = 'CFL GUEST' SELECT DATA FROM TABLE WHERE USER_NAME = '#AUTH_USER#' SELECT DATA FROM TABLE WHERE UPPER(E.LAST_NAME) = 'CFL GUEST' act_Login.cfm - You must enter text in both the User Name and Password fields. SELECT DATA FROM TABLE WHERE USER = '#J_USERNAME#' AND PASSWORD = '#J_PASSWORD#' Your login information is not valid.Please Try again THIS IS WHERE IT FAILS TO PASS THE LOGIN INFO ?? *** --- ~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:263191 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
cflogin question
I am using cflogin logic to control some access within my framework and is working just fine. However, I notice that the timeout logic can not be overridden without increasing the session timeout. That's unexpected behaivor, IMO, but I can work with it by increasing the session time. I've tried to increase the cflogin idletimeout but it seems to be tied to my application override settings. 1st, has anyone else experienced this, as I might be looking at the problem wrong. Seems a little backwards to me, but perhaps that is desired behaivor, or perhaps I have missed an important note in the docs. 2nd, if I have to increase the session time out, what impact would that have on performance? In the past, I always held authorized users sessions much longer than non-authorized ones with PHP, but I am not sure if that is possible in this case. Is there a way to purge non-logged in users while keeping just the logged in ones? Thanks in advance! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262362 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IE7, cflogin, and JSMX
Got it. For some reason, IE7 wouldn't accept my javascript function
calls directly within the script tag.Once I placed them inside a
"window.onload = function(){}", it seemed to like me again.
Odd that it logged me out as well Maybe one of the new security
features?
I <3 Internet Explorer (not!),
-Jon
On Nov 14, 2006, at 2:18 PM, Jon Clausen wrote:
> I've found a weird bug that I'm stuck on.
>
> The problem does not occur with any other browser (FF,IE6, Safari,
> Opera). When IE7 hits a page where JSMX is used to generate any
> content, CF logs out the user, I receive an "Operation aborted"
> message, and the page redirects to the IE7 connection error page.
>
> The app is a ModelGlue App where the getAuthUser() values are
> checked on each page (event) request to deliver content.When I
> dump getAuthUser() value in the JSMX generated content, it appears
> the the user is being logged out as soon as the http("GET".. ) is
> sending it's request (not when the main template fires or it wouldn't
> send the AJAX request to begin with).
>
> Any ideas on how I could fix without re-doing the entire auth
> framework?
>
> -Jon
>
>
>
~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four
times a year.
http://www.fusionauthority.com/quarterly
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:260402
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
IE7, cflogin, and JSMX
I've found a weird bug that I'm stuck on.
The problem does not occur with any other browser (FF,IE6, Safari,
Opera). When IE7 hits a page where JSMX is used to generate any
content, CF logs out the user, I receive an "Operation aborted"
message, and the page redirects to the IE7 connection error page.
The app is a ModelGlue App where the getAuthUser() values are
checked on each page (event) request to deliver content.When I
dump getAuthUser() value in the JSMX generated content, it appears
the the user is being logged out as soon as the http("GET".. ) is
sending it's request (not when the main template fires or it wouldn't
send the AJAX request to begin with).
Any ideas on how I could fix without re-doing the entire auth framework?
-Jon
~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four
times a year.
http://www.fusionauthority.com/quarterly
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:260395
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
cflogin problem
This is my first post and I am a little new at this. I have an application that logs users in via . The situation is like this, user 1 logs in and uses the website. User 2 logs in with their own username and password and getauthuser() retuns that they are user 1. I have seen this happen when there are only 2 or three users logged in. Once I had 25 users logged in and 10 of them all returned that they were logged in as the same user. I know that I have probably overlooked something simple. I am running Coldfusion 7 in a non-clustered environment. The only thing I can think of is that the users are all on campus behind a firewall. The server is off campus and each computer seems to have the same ip address to the server. Could cause this effect? In my Application.cfm I have : When I log users in I have a block of code like this: To log users off I use then clear the session to get rid of any sessions related to that user. StructClear(Session); Any help appreciated, Jim Audette Garrison Forest School [EMAIL PROTECTED] ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254082 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CF Ajax and CFLogin...
interesting, on the Mac here are the results. Firefox returns request error: 411. Safari : 200 ( works ok ). Any ideas? > Good idea, but that didn't seem to work. 500 again. Perhaps I'll test > this in Safari / Firefox Mac. as well and report back. > > > > >Try and change your Ajax call to a POST instead of a GET. > > > > > > > > > > > > > >"This e-mail is from Reed Exhibitions (Oriel House, 26 The Quadrant, > >Richmond, Surrey, TW9 1DL, United Kingdom), a division of Reed > Business, > >Registered in England, Number 678540. It contains information which > is > >confidential and may also be privileged. It is for the exclusive use > of the > >intended recipient(s). If you are not the intended recipient(s) > please note > >that any form of distribution, copying or use of this communication > or the > >information in it is strictly prohibited and may be unlawful. If you > have > >received this communication in error please return it to the sender > or call > >our switchboard on +44 (0) 20 89107910. The opinions expressed > within this > >communication are not necessarily those expressed by Reed Exhibitions. > " > >Visit our website at http://www.reedexpo.com > > > >-Original Message- > >From: D F > >To: CF-Talk > >Sent: Thu Sep 21 09:08:53 2006 > >Subject: CF Ajax and CFLogin... > > > >I have ajax script that sends a url hit to a remote cfc method. This > cfc is > >of course secured in that the roles attributes have been set. What > I've done > >is to login the user ( via CFLOGIN ) on the page where the JS/Ajax > calls are > >made, and of course assign the appropriate permissions to that users > to be > >able to properly access the cfc. > > > >In FIREFOX this works grand, but in IE it does not seem to like the > way I've > >set the permission as I get back error code: 500 from the ajax/js > script. > > > >I'm assuming that the CFLOGIN tag did not set the permissions and or > IE did > >not 'understand' that the user has been authorised... another > possibility > >would seem to indicate that the ajax/js calls are made BEFORE the > cflogin > >has had time to propogate into the cookie/registry etc...but that > doesn't > >really make sense as the user should have been 'logged in' when the > CFLOGIN > >tag ran. The ajax/js calls are made AFTER page load so this probably > is not > >the case. > > > >has anyone else encountered this problem? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253697 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CF Ajax and CFLogin...
Good idea, but that didn't seem to work. 500 again. Perhaps I'll test this in Safari / Firefox Mac. as well and report back. >Try and change your Ajax call to a POST instead of a GET. > > > > > > >"This e-mail is from Reed Exhibitions (Oriel House, 26 The Quadrant, >Richmond, Surrey, TW9 1DL, United Kingdom), a division of Reed Business, >Registered in England, Number 678540. It contains information which is >confidential and may also be privileged. It is for the exclusive use of the >intended recipient(s). If you are not the intended recipient(s) please note >that any form of distribution, copying or use of this communication or the >information in it is strictly prohibited and may be unlawful. If you have >received this communication in error please return it to the sender or call >our switchboard on +44 (0) 20 89107910. The opinions expressed within this >communication are not necessarily those expressed by Reed Exhibitions." >Visit our website at http://www.reedexpo.com > >-Original Message- >From: D F >To: CF-Talk >Sent: Thu Sep 21 09:08:53 2006 >Subject: CF Ajax and CFLogin... > >I have ajax script that sends a url hit to a remote cfc method. This cfc is >of course secured in that the roles attributes have been set. What I've done >is to login the user ( via CFLOGIN ) on the page where the JS/Ajax calls are >made, and of course assign the appropriate permissions to that users to be >able to properly access the cfc. > >In FIREFOX this works grand, but in IE it does not seem to like the way I've >set the permission as I get back error code: 500 from the ajax/js script. > >I'm assuming that the CFLOGIN tag did not set the permissions and or IE did >not 'understand' that the user has been authorised... another possibility >would seem to indicate that the ajax/js calls are made BEFORE the cflogin >has had time to propogate into the cookie/registry etc...but that doesn't >really make sense as the user should have been 'logged in' when the CFLOGIN >tag ran. The ajax/js calls are made AFTER page load so this probably is not >the case. > >has anyone else encountered this problem? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253696 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CF Ajax and CFLogin...
Try and change your Ajax call to a POST instead of a GET. "This e-mail is from Reed Exhibitions (Oriel House, 26 The Quadrant, Richmond, Surrey, TW9 1DL, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions." Visit our website at http://www.reedexpo.com -Original Message- From: D F To: CF-Talk Sent: Thu Sep 21 09:08:53 2006 Subject: CF Ajax and CFLogin... I have ajax script that sends a url hit to a remote cfc method. This cfc is of course secured in that the roles attributes have been set. What I've done is to login the user ( via CFLOGIN ) on the page where the JS/Ajax calls are made, and of course assign the appropriate permissions to that users to be able to properly access the cfc. In FIREFOX this works grand, but in IE it does not seem to like the way I've set the permission as I get back error code: 500 from the ajax/js script. I'm assuming that the CFLOGIN tag did not set the permissions and or IE did not 'understand' that the user has been authorised... another possibility would seem to indicate that the ajax/js calls are made BEFORE the cflogin has had time to propogate into the cookie/registry etc...but that doesn't really make sense as the user should have been 'logged in' when the CFLOGIN tag ran. The ajax/js calls are made AFTER page load so this probably is not the case. has anyone else encountered this problem? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253695 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CF Ajax and CFLogin...
I have ajax script that sends a url hit to a remote cfc method. This cfc is of course secured in that the roles attributes have been set. What I've done is to login the user ( via CFLOGIN ) on the page where the JS/Ajax calls are made, and of course assign the appropriate permissions to that users to be able to properly access the cfc. In FIREFOX this works grand, but in IE it does not seem to like the way I've set the permission as I get back error code: 500 from the ajax/js script. I'm assuming that the CFLOGIN tag did not set the permissions and or IE did not 'understand' that the user has been authorised... another possibility would seem to indicate that the ajax/js calls are made BEFORE the cflogin has had time to propogate into the cookie/registry etc...but that doesn't really make sense as the user should have been 'logged in' when the CFLOGIN tag ran. The ajax/js calls are made AFTER page load so this probably is not the case. has anyone else encountered this problem? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253694 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: ugh... CFLOGIN Help please
This worked perfectly. It's an odd way of doing things, but it worked. Thank you, BN ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253261 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: ugh... CFLOGIN Help please
James - So if I understand you correctly 1) the act_Login page stores the login information to the session. 2) to get at that information you neeed to fire off the On index.cfm, you need to run a cflogin tag before the getAuthUser() >function will work. This is true in any page that you intend to >protect with CFLOGIN authentication. > >On 9/15/06, Brent Nicholas <[EMAIL PROTECTED]> wrote: >> ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253257 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
CFLOGIN and Flex 2 CF Wizard
Hi all,
Does anyone have a working example of auth.cfc (the file that gets
generated when using the CF Wizard? I thought the code below would be
sufficient but its still not working. Any suggestions?
CODE:
AUTH.CFC:
SELECT UserName, UserPassword
FROM USERS
WHERE UserName =
AND UserPassword =
LOGIN.MXML:
http://www.adobe.com/2006/mxml"; xmlns="*"
width="100%" height="100%" creationComplete="initApp()">
[Event("forgotpassword")]
[Event("loginSuccessful")]
Thanks in advance,
David
~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four
times a year.
http://www.fusionauthority.com/quarterly
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253222
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: ugh... CFLOGIN Help please
On index.cfm, you need to run a cflogin tag before the getAuthUser() function will work. This is true in any page that you intend to protect with CFLOGIN authentication. On 9/15/06, Brent Nicholas <[EMAIL PROTECTED]> wrote: > This may make it easier to address this issue. It's all the files in a folder > ready to test. > > http://www.cflhd.gov/TeleconfDocs/LoginTestingbak.zip > > Thanks again - > > BN > > > Ok, so I've searched and read the posts on this list about CFLOGIN, > > I've read Brandon Purcell's power point and read over all the > > Macromedia documentation. I'm actually using most of their code, > > though I've rearranged it to make more sense in what I'm doing to > > prove the concept. > > > > In short it works, but seems to loose the session/user once you leave > > the page that did the login?? Anyone know what I'm doing wrong? I'm > > sure it's something obvious... > > > > I'll get to the nitty gritty here. > > > > Code is laid out as follows and all lives in the same directory: > > > > -page break--- > > && PageName.cfm > > -- > > CODE HERE > > --<<<<<<<>>>>>>>-- > > > > > > > > -page break--- > > && Application.cfc > > -- > > > > > > > > > > > > > > > > --<<<<<<<>>>>>>>-- > > > > > > -page break--- > > && index.cfm > > -- > > http://www. > > w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> > > > > http://www.w3.org/1999/xhtml"; lang="en" xml:lang="en"> > > > > > > CFLHD - Intranet > > > > > > > > > > > > > > > > > > Welcome #GetAuthUser()#! > > #application.applicationname#> > > > > > > > > test not logged in > > > > test logged in > > > > > > > > Login > > > > > >> href="EmployeeDataPage.cfm?emp_id=#GetAuthUser()#">Nicholas, > > Brent > > > > > > > > > > --<<<<<<<>>>>>>>-- > > > > > > -page break--- > > && LoginForm.cfm > > -- > > Please Log In > > > > > > > > > > > > > > username: > > > > > > > > > > > > password: > > > > > > > > > > > > > > > > > > > > > > > > --<<<<<<<>>>>>>>-- > > > > > > -page break--- > > && act_LogIn.cfm > > -- > > > > > > > > > > > > > > You must enter text in both the User Name and Password fields. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > THIS WORKS FINE, SHOWS USER > > Welcome #GetAuthUser()#! > > > THOUGH AFTER YOU CLICK THIS YOU'LL LOOSE THE DATA. > > index page > > > > > > --<<<<<<< page>>>>>>>>-- > > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253207 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: ugh... CFLOGIN Help please
This may make it easier to address this issue. It's all the files in a folder ready to test. http://www.cflhd.gov/TeleconfDocs/LoginTestingbak.zip Thanks again - BN > Ok, so I've searched and read the posts on this list about CFLOGIN, > I've read Brandon Purcell's power point and read over all the > Macromedia documentation. I'm actually using most of their code, > though I've rearranged it to make more sense in what I'm doing to > prove the concept. > > In short it works, but seems to loose the session/user once you leave > the page that did the login?? Anyone know what I'm doing wrong? I'm > sure it's something obvious... > > I'll get to the nitty gritty here. > > Code is laid out as follows and all lives in the same directory: > > -page break--- > && PageName.cfm > -- > CODE HERE > --<<<<<<<>>>>>>>-- > > > > -page break--- > && Application.cfc > -- > > > > > > > > --<<<<<<<>>>>>>>-- > > > -page break--- > && index.cfm > -- > http://www. > w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> > > http://www.w3.org/1999/xhtml"; lang="en" xml:lang="en"> > > > CFLHD - Intranet > > > > > > > > > Welcome #GetAuthUser()#! > #application.applicationname#> > > > > test not logged in > > test logged in > > > > Login > > > Nicholas, > Brent > > > > > --<<<<<<<>>>>>>>-- > > > -page break--- > && LoginForm.cfm > -- > Please Log In > > > > > username: > > > > password: > > > > > > > > > --<<<<<<<>>>>>>>-- > > > -page break--- > && act_LogIn.cfm > -- > > > > > You must enter text in both the User Name and Password fields. > > > > > > > > > > > > > > > > > > > THIS WORKS FINE, SHOWS USER > Welcome #GetAuthUser()#! > THOUGH AFTER YOU CLICK THIS YOU'LL LOOSE THE DATA. > index page > > > --<<<<<<<>>>>>>>-- ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253201 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
ugh... CFLOGIN Help please
Ok, so I've searched and read the posts on this list about CFLOGIN, I've read Brandon Purcell's power point and read over all the Macromedia documentation. I'm actually using most of their code, though I've rearranged it to make more sense in what I'm doing to prove the concept. In short it works, but seems to loose the session/user once you leave the page that did the login?? Anyone know what I'm doing wrong? I'm sure it's something obvious... I'll get to the nitty gritty here. Code is laid out as follows and all lives in the same directory: -page break--- && PageName.cfm -- CODE HERE --<<<<<<<>>>>>>>-- -page break--- && Application.cfc -- --<<<<<<<>>>>>>>-- -page break--- && index.cfm -- http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> http://www.w3.org/1999/xhtml"; lang="en" xml:lang="en"> CFLHD - Intranet Welcome #GetAuthUser()#! #application.applicationname#> test not logged in test logged in Login Nicholas, Brent --<<<<<<<>>>>>>>-- -page break--- && LoginForm.cfm -- Please Log In username: password: --<<<<<<<>>>>>>>-- -page break--- && act_LogIn.cfm -- You must enter text in both the User Name and Password fields. THIS WORKS FINE, SHOWS USER Welcome #GetAuthUser()#! THOUGH AFTER YOU CLICK THIS YOU'LL LOOSE THE DATA. index page --<<<<<<<>>>>>>>-- ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:253180 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFLogin "Difficulties"
Did you say the variables come from a header or from the CGI scope? How exactly do you set them in the session scope (where do they come from and when)? On 7/14/06, Jeff D. Chastain <[EMAIL PROTECTED]> wrote: > I am trying to use CFLogin to setup a secure area in a web site. The problem > that I am having is that there is no login form ... the site uses an SSO > provider for authentication, and I receive a few variables in the header > stating who the user is after a successful login. This means that the SSO > provider is set to authenticate the user when they make an http request of a > specific file. -- CFAJAX docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:246656 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFLogin ""Difficulties""
> I can see that cookie variable, but what I cannot understand is why using a or redirects I think you should treat cflocation as having the same effect as a client side redirect, interesting article here: http://www.petefreitag.com/item/359.cfm Andrew. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:246653 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFLogin "Difficulties"
Yep, both are on the same server, under the same domain and same mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 10:40 AM To: CF-Talk Subject: CFLogin "Difficulties" I am trying to use CFLogin to setup a secure area in a web site. The problem that I am having is that there is no login form ... the site uses an SSO provider for authentication, and I receive a few variables in the header stating who the user is after a successful login. This means that the SSO provider is set to authenticate the user when they make an http request of a specific file. So, what I was attempting to do was determine if the current page needs the user to be authenticated. If so, redirect them to the page that is protected by the SSO provider, which stores the information it gets from the SOO provider in the session scope, and then returns the user to the page they came from. I can then use that information to log the user in, check their roles, etc. The problem I am having is that when the SSO page stores its information in the session scope, it then performs a redirect and that information is being lost. I have tried have tried set correctly before the redirect, but once the user is taken back to the original page, the session scope is empty. Anybody have any suggestions as to why I am loosing the session scope, or as to a better way to go about this? Thanks -- Jeff ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:246587 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFLogin "Difficulties"
Are both of these pages on the same server and within the same application name? M!ke -Original Message- From: Jeff D.Chastain [mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 10:40 AM To: CF-Talk Subject: CFLogin "Difficulties" I am trying to use CFLogin to setup a secure area in a web site. The problem that I am having is that there is no login form ... the site uses an SSO provider for authentication, and I receive a few variables in the header stating who the user is after a successful login. This means that the SSO provider is set to authenticate the user when they make an http request of a specific file. So, what I was attempting to do was determine if the current page needs the user to be authenticated. If so, redirect them to the page that is protected by the SSO provider, which stores the information it gets from the SOO provider in the session scope, and then returns the user to the page they came from. I can then use that information to log the user in, check their roles, etc. The problem I am having is that when the SSO page stores its information in the session scope, it then performs a redirect and that information is being lost. I have tried http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:246585 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
CFLogin "Difficulties"
I am trying to use CFLogin to setup a secure area in a web site. The problem that I am having is that there is no login form ... the site uses an SSO provider for authentication, and I receive a few variables in the header stating who the user is after a successful login. This means that the SSO provider is set to authenticate the user when they make an http request of a specific file. So, what I was attempting to do was determine if the current page needs the user to be authenticated. If so, redirect them to the page that is protected by the SSO provider, which stores the information it gets from the SOO provider in the session scope, and then returns the user to the page they came from. I can then use that information to log the user in, check their roles, etc. The problem I am having is that when the SSO page stores its information in the session scope, it then performs a redirect and that information is being lost. I have tried http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:246569 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFLOGIN HELP
James, Thanks for your help again, No wonder it always eventually failed - I started adding "goodies" (), so THAT was what was screwing it up I apoligize, as I only respond to my own topics, and I'm pretty guilty, but I have never seen a newsgroup like this, and I'm too overwhelmed to reply Every other MINUTE thunderbird bounces up and down and gives me the alert sound. On 7/11/06, James Holmes <[EMAIL PROTECTED]> wrote: > > This: > > > > > If you cflocation before a closing the user is never logged in. > > On 7/12/06, B V <[EMAIL PROTECTED]> wrote: > > I don't know what's wrong.. My login code does't seem to be > working... > > can anyone help me out? Alll of a sudden it stops working, and I suspect > > there was a problem from the beginning. - It's odd. No errors, no > wrong > > uname/pwd messages. What is wrong? > > Here it is: > > > > > FORM.ref')> > > > > > > SELECT * FROM authaccounts WHERE email = "#FORM.email#" AND password = > > "#hashedPassword#" > > > > > > > > > > > > > > > > > > > > > > Email and password aren't right. > > > > > > > > > > SELECT msg FROM msg WHERE id = "#URL.msg#" > > > > > > #getMSG.msg# > > > > > > Thanks for your help and time > > > > > > > > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:246215 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFLOGIN HELP
This: If you cflocation before a closing the user is never logged in. On 7/12/06, B V <[EMAIL PROTECTED]> wrote: > I don't know what's wrong.. My login code does't seem to be working... > can anyone help me out? Alll of a sudden it stops working, and I suspect > there was a problem from the beginning. - It's odd. No errors, no wrong > uname/pwd messages. What is wrong? > Here it is: > > FORM.ref')> > > > SELECT * FROM authaccounts WHERE email = "#FORM.email#" AND password = > "#hashedPassword#" > > > > > > > > > > > Email and password aren't right. > > > > > SELECT msg FROM msg WHERE id = "#URL.msg#" > > > #getMSG.msg# > > > Thanks for your help and time > > > ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:246208 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CFLOGIN HELP
I don't know what's wrong.. My login code does't seem to be working... can anyone help me out? Alll of a sudden it stops working, and I suspect there was a problem from the beginning. - It's odd. No errors, no wrong uname/pwd messages. What is wrong? Here it is: SELECT * FROM authaccounts WHERE email = "#FORM.email#" AND password = "#hashedPassword#" Email and password aren't right. SELECT msg FROM msg WHERE id = "#URL.msg#" #getMSG.msg# Thanks for your help and time ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/cf_lists/message.cfm/forumid:4/messageid:246184 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cflogin and load balancing
Dave, Do you mean when using NLBS (the windows clustering solution)? I was under the impression that it could not do this. -Mark -Original Message- From: Dave Ross [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 24, 2006 6:12 PM To: CF-Talk Subject: Re: cflogin and load balancing Win2k3 will do sticky sessions when clustered using NLB -Dave >A hardware load balancer that provides for sticky sessions will work, >if you can afford it. > >On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > >-- >CFAJAX docs and other useful articles: >http://jr-holmes.coldfusionjournal.com/ ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241427 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Win2k3 will do sticky sessions when clustered using NLB -Dave >A hardware load balancer that provides for sticky sessions will work, >if you can afford it. > >On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > >-- >CFAJAX docs and other useful articles: >http://jr-holmes.coldfusionjournal.com/ ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241383 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Just to complete this thread, since it's been linked to by several folks: One customer in particular had issues ad we walked them through their code issues. In particular, the following problems were found that prevented CFLOGIN working in a clustered environment: - There are nested cflogin tags. Resolution: Remove the cflogin code in login.cfm - CFLoginUser is not executed in onRequestStart. Resolution: do user validation in onRequestStart instead of in login.cfm - Checking a session variable (which is replicated in a cluster) to decide if login code should be executed. Resolution: Donât do this; always check if the cflogin scope exists (see docs and sample code). Here is some example code, note that this is onRequest, not onRequestStart. Either will work. select u.userid from users u where username = and password = For more sample CFLOGIN code, see the CF Developers Guide: http://livedocs.macromedia.com/coldfusion/7/htmldocs/1181.htm HTH Damon >On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: >> But I still wonder why the cflogin cookie includes the full login info >> (username/password base64 encoded), what does it need to then? > >I stand corrected again! > >I did further testing and the cflogin/cfloginuser code will >automatically login the user on the second server if the user has the >cflogin cookie from the first server. > >It looks like using cflogin (set to use cookies) correctly will work >for my setup with mutiple servers not clustered, even if it's not very >secure (since the cookie includes the username/password). > >Regards. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241364 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Application.cfc and cflogin/cflogout
A google for "cflogin example" will find you about a dozen or so examples, with various methods of ending the session. I generally set a variable manually "isloggegin=false", and use that. HIH :D On 4/24/06, j s <[EMAIL PROTECTED]> wrote: > > Does anyone know where I can get an example of using cflogin and cflogout > with Application.cfc. > > I'm currently using Application.cfm and have notice that the when using > cflogout the session still remains and althought the user is logged out you > can still access the secure pages with the back button. I'm assuming you > can be fix using Application.cfc but I'm not 100% on where/how to > implement it. > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238579 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Application.cfc and cflogin/cflogout
Does anyone know where I can get an example of using cflogin and cflogout with Application.cfc. I'm currently using Application.cfm and have notice that the when using cflogout the session still remains and althought the user is logged out you can still access the secure pages with the back button. I'm assuming you can be fix using Application.cfc but I'm not 100% on where/how to implement it. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238560 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
nope and nope. I've setup JAAS in JRun, seems to work fine. In fact I setup a serverwide SSO solution using JAAS where CF can interface with it simply. DK On 3/28/06, Andy Allan <[EMAIL PROTECTED]> wrote: > Isn't cflogin already based on JAAS? The CF (or indeed JRun) > implementation just happens to be botched? > > Andy > > On 28/03/06, Douglas Knudsen <[EMAIL PROTECTED]> wrote: > > I've been wondering why the CF team has not switched over to using > > J2EE security. A rewrite of cflogin code that can use JAAS would be > > just swell and allow integration with non CF J2EE products without > > messing with web.xml files and such, eh? > > > > DK > > > > On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > > > On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > > > > It doesn't work that way. Since your CFLOGINUSER call is inside a > > > > CFLOGIN call, that CFLOGIN call *won't* run when the second server sees > > > > your authentication cookie because CFLOGIN only runs when you are *not* > > > > authenticated. > > > > > > Actually, according to my testing (ColdFusion 6.1 with the Updater), > > > when the second server sees the cflogin cookie, it will automatically > > > run the cflogin/cfloginuser code and authenticate/authorize the user. > > > > > > Can anyone verify this with ColdFusion MX 7? > > > > > > Thanks. > > > > > > > > > > > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236320 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Isn't cflogin already based on JAAS? The CF (or indeed JRun) implementation just happens to be botched? Andy On 28/03/06, Douglas Knudsen <[EMAIL PROTECTED]> wrote: > I've been wondering why the CF team has not switched over to using > J2EE security. A rewrite of cflogin code that can use JAAS would be > just swell and allow integration with non CF J2EE products without > messing with web.xml files and such, eh? > > DK > > On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > > On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > > > It doesn't work that way. Since your CFLOGINUSER call is inside a > > > CFLOGIN call, that CFLOGIN call *won't* run when the second server sees > > > your authentication cookie because CFLOGIN only runs when you are *not* > > > authenticated. > > > > Actually, according to my testing (ColdFusion 6.1 with the Updater), > > when the second server sees the cflogin cookie, it will automatically > > run the cflogin/cfloginuser code and authenticate/authorize the user. > > > > Can anyone verify this with ColdFusion MX 7? > > > > Thanks. > > > > > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236305 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
I've been wondering why the CF team has not switched over to using J2EE security. A rewrite of cflogin code that can use JAAS would be just swell and allow integration with non CF J2EE products without messing with web.xml files and such, eh? DK On 3/27/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > > It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN > > call, that CFLOGIN call *won't* run when the second server sees your > > authentication cookie because CFLOGIN only runs when you are *not* > > authenticated. > > Actually, according to my testing (ColdFusion 6.1 with the Updater), > when the second server sees the cflogin cookie, it will automatically > run the cflogin/cfloginuser code and authenticate/authorize the user. > > Can anyone verify this with ColdFusion MX 7? > > Thanks. > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236287 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN > call, that CFLOGIN call *won't* run when the second server sees your > authentication cookie because CFLOGIN only runs when you are *not* > authenticated. Actually, according to my testing (ColdFusion 6.1 with the Updater), when the second server sees the cflogin cookie, it will automatically run the cflogin/cfloginuser code and authenticate/authorize the user. Can anyone verify this with ColdFusion MX 7? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236233 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/26/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > And one more thing... SSL really doesn't matter because you're not going to > use it everywhere on your site, only in some places, so everywhere else that > doesn't use SSL is still exposed. The whole application will use HTTPS. Regards. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236231 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Jochem, IMHO, having to explicitly test faux credentials on every request and logout/login each time you hit a new server in the cluster is a kludge at best. And I don't mean this as a criticism of you at all -- I highly respect your work; it's a criticism of Macromedia/Adobe for letting this problem go on for so long. Why doesn't Adobe just fix CFLOGIN? Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: Jochem van Dieten To: CF-Talk Sent: Sunday, March 26, 2006 4:34 PM Subject: Re: cflogin and load balancing Adam Churvis wrote: > It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN call, that CFLOGIN call *won't* run when the second server sees your authentication cookie because CFLOGIN only runs when you are *not* authenticated. So what you do is assign one standard role to everyone. When the user is logged in but does not have that role assigned, you log him out and in again. Role assignments get executed again on the cfloginuser and the user gets his roles. Bit clumsy, but it works. Jochem ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236226 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Adam Churvis wrote: > It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN > call, that CFLOGIN call *won't* run when the second server sees your > authentication cookie because CFLOGIN only runs when you are *not* > authenticated. So what you do is assign one standard role to everyone. When the user is logged in but does not have that role assigned, you log him out and in again. Role assignments get executed again on the cfloginuser and the user gets his roles. Bit clumsy, but it works. Jochem ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236225 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
> And one more thing... SSL really doesn't matter because you're not going to > use it everywhere... As in, "SSL really doesn't matter with respect to your assumption that it somewhat mitigates the security concerns about cookie values being exposed." Of course SSL matters with respect to just about everything else. :) Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: Adam Churvis To: CF-Talk Sent: Sunday, March 26, 2006 1:18 PM Subject: Re: cflogin and load balancing And one more thing... SSL really doesn't matter because you're not going to use it everywhere on your site, only in some places, so everywhere else that doesn't use SSL is still exposed. You should always use loginStorage="Session" and combine this with a solid session syndication mechanism. If you're running BlueDragon.NET then your best bet is ScaleOut StateServer. The built-in freebie state server that comes with Windows craps out around three machines in most cases. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: wolf2k5 To: CF-Talk Sent: Saturday, March 25, 2006 5:02 AM Subject: Re: cflogin and load balancing On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236220 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
And one more thing... SSL really doesn't matter because you're not going to use it everywhere on your site, only in some places, so everywhere else that doesn't use SSL is still exposed. You should always use loginStorage="Session" and combine this with a solid session syndication mechanism. If you're running BlueDragon.NET then your best bet is ScaleOut StateServer. The built-in freebie state server that comes with Windows craps out around three machines in most cases. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: wolf2k5 To: CF-Talk Sent: Saturday, March 25, 2006 5:02 AM Subject: Re: cflogin and load balancing On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236219 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
It doesn't work that way. Since your CFLOGINUSER call is inside a CFLOGIN call, that CFLOGIN call *won't* run when the second server sees your authentication cookie because CFLOGIN only runs when you are *not* authenticated. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET 2.0 for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: wolf2k5 To: CF-Talk Sent: Saturday, March 25, 2006 5:02 AM Subject: Re: cflogin and load balancing On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236218 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/24/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > If I'm not mistaken, *authorization* (not authentication) can't work across > multiple CF servers -- clustered or not -- because there's no mechanism for > specifying *roles* on any computer other than the one on which CFLOGINUSER > was executed. But if the cflogin cookie is there, the second server will automatically execute the cflogin/cfloginuser code, effectively re-logging in the user and re-assigning him the roles automatically. Besides the security concerns (username/password in the cookie), that can be somewhat mitigated using HTTPS, do you see any other issue with this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236202 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
If I'm not mistaken, *authorization* (not authentication) can't work across multiple CF servers -- clustered or not -- because there's no mechanism for specifying *roles* on any computer other than the one on which CFLOGINUSER was executed. It doesn't matter whether you're using cookies or session (with proper session syndication in place) because the cookie contains only the username, password, and application name -- no roles. Which is another reason why you want to use loginStorage="Session", as the cookie is not encrypted (it's only Base64 encoded). BlueDragon, however, *does* handle all authentication and authorization properly across servers with the CFLOGIN framework. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer BlueDragon Alliance Founding Committee Get advanced intensive Master-level training in C# & ASP.NET for ColdFusion Developers at ProductivityEnhancement.com - Original Message - From: wolf2k5 To: CF-Talk Sent: Friday, March 24, 2006 4:26 PM Subject: Re: cflogin and load balancing On 3/23/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > ColdFusion Server is broken with respect to the CFLOGIN security framework > working on a clustered system with failover. The reason is that the > authentication cookie contains the authentication information but not any > authorization (roles) information. The authorization information is stored > locally only on the server on which CFLOGINUSER was called, but not in the > Session scope, so this information never gets synidcated to the other > machines. Setting cflogin to use cookies appears to work fine with multiple non clustered CF servers. Cheers. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236192 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/23/06, Adam Churvis <[EMAIL PROTECTED]> wrote: > ColdFusion Server is broken with respect to the CFLOGIN security framework > working on a clustered system with failover. The reason is that the > authentication cookie contains the authentication information but not any > authorization (roles) information. The authorization information is stored > locally only on the server on which CFLOGINUSER was called, but not in the > Session scope, so this information never gets synidcated to the other > machines. Setting cflogin to use cookies appears to work fine with multiple non clustered CF servers. Cheers. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236189 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > But I still wonder why the cflogin cookie includes the full login info > (username/password base64 encoded), what does it need to then? I stand corrected again! I did further testing and the cflogin/cfloginuser code will automatically login the user on the second server if the user has the cflogin cookie from the first server. It looks like using cflogin (set to use cookies) correctly will work for my setup with mutiple servers not clustered, even if it's not very secure (since the cookie includes the username/password). Regards. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236187 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/23/06, Jochem van Dieten <[EMAIL PROTECTED]> wrote: > If you have the username and password, why don't you log him in > yourself? What do you mean? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236118 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
wolf2k5 wrote: > > I take this back: I did better testing and the user is NOT > automatically logged into the second server. > > Basically there is a cflogin limitation with simple DNS round robin > load balancing (no clustering) on multiple web servers: the login > session isn't shared between the multiple web servers (even if the > cflogin cookie contains the full username/password info, that would be > sufficient to automatically re-authenticate the user behind the scenes > on another server), apparently, besides the cflogin cookie on the > client, each CF server maintains its own internal state of the > logins/logouts sessions. > > What would be the better/easiest way of managing a logins on a load > balanced application w/o clustering the CF instances? If you have the username and password, why don't you log him in yourself? Jochem ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236086 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
Folks, ColdFusion Server is broken with respect to the CFLOGIN security framework working on a clustered system with failover. The reason is that the authentication cookie contains the authentication information but not any authorization (roles) information. The authorization information is stored locally only on the server on which CFLOGINUSER was called, but not in the Session scope, so this information never gets synidcated to the other machines. This is the reason why we've switched to BlueDragon.NET. When we discovered this issue on our hardware load balanced cluster in our load testing lab, we contacted New Atlanta and within *hours* they sent us a new build that solved the problem (it's also in their two previous hotfixes). So unless I've missed something in the latest build of the Adobe product, BlueDragon.NET (and I believe its other flavors, too) is the only CFML processor that works on a cluster with failover at the present time. BTW, we also use ScaleOut StateServer as the session syndication mechanism, which lets us scale *way* out without loss of performance. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer http://www.ProductivityEnhancement.com Download Plum and other cool development tools, and get advanced intensive Master-level training: * C# & ASP.NET for ColdFusion Developers * ColdFusion MX Master Class * Advanced Development with CFMX and SQL Server 2000 - Original Message - From: "wolf2k5" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Thursday, March 23, 2006 12:56 PM Subject: Re: cflogin and load balancing > On 3/23/06, Dave Watts <[EMAIL PROTECTED]> wrote: > > Yeah, I didn't get around to testing this, but I would have really been > > surprised if this were true. > > But I still wonder why the cflogin cookie includes the full login info > (username/password base64 encoded), what does it need to then? > > > Build your own login mechanism and have it store information in the > > database. You could do this using the Client scope or just write the whole > > thing yourself. > > I think I'll go with the Client scope, anything I should pay attention > to to make sure the application is secure and works well? > > Thanks. > > ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236075 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/23/06, Dave Watts <[EMAIL PROTECTED]> wrote: > Yeah, I didn't get around to testing this, but I would have really been > surprised if this were true. But I still wonder why the cflogin cookie includes the full login info (username/password base64 encoded), what does it need to then? > Build your own login mechanism and have it store information in the > database. You could do this using the Client scope or just write the whole > thing yourself. I think I'll go with the Client scope, anything I should pay attention to to make sure the application is secure and works well? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236068 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: cflogin and load balancing
> I take this back: I did better testing and the user is NOT > automatically logged into the second server. Yeah, I didn't get around to testing this, but I would have really been surprised if this were true. > What would be the better/easiest way of managing a logins on > a load balanced application w/o clustering the CF instances? Build your own login mechanism and have it store information in the database. You could do this using the Client scope or just write the whole thing yourself. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236051 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
A hardware load balancer that provides for sticky sessions will work, if you can afford it. On 3/23/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > > To reply to my own question: it looks like that the cflogin cookie > > includes the username/password info (I think it's base64 encoded), > > when jumping from one server to another, the user is already logged > > into the second server. > > I take this back: I did better testing and the user is NOT > automatically logged into the second server. > > Basically there is a cflogin limitation with simple DNS round robin > load balancing (no clustering) on multiple web servers: the login > session isn't shared between the multiple web servers (even if the > cflogin cookie contains the full username/password info, that would be > sufficient to automatically re-authenticate the user behind the scenes > on another server), apparently, besides the cflogin cookie on the > client, each CF server maintains its own internal state of the > logins/logouts sessions. > > What would be the better/easiest way of managing a logins on a load > balanced application w/o clustering the CF instances? > > I used the session word to mean login sessions, not CF session variables. -- CFAJAX docs and other useful articles: http://jr-holmes.coldfusionjournal.com/ ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236028 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > To reply to my own question: it looks like that the cflogin cookie > includes the username/password info (I think it's base64 encoded), > when jumping from one server to another, the user is already logged > into the second server. I take this back: I did better testing and the user is NOT automatically logged into the second server. Basically there is a cflogin limitation with simple DNS round robin load balancing (no clustering) on multiple web servers: the login session isn't shared between the multiple web servers (even if the cflogin cookie contains the full username/password info, that would be sufficient to automatically re-authenticate the user behind the scenes on another server), apparently, besides the cflogin cookie on the client, each CF server maintains its own internal state of the logins/logouts sessions. What would be the better/easiest way of managing a logins on a load balanced application w/o clustering the CF instances? I used the session word to mean login sessions, not CF session variables. Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236025 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/22/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > Now I'm hitting a weird issue with cflogin, someontimes after using my > app for a few time, I'm logged out automatically, I cannot reproduce > the issue in a consistent way, but it happens once in a while. BTW, I'm on ColdFusion MX 6.1 Updater (6,1,0,83762). Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235995 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/21/06, wolf2k5 <[EMAIL PROTECTED]> wrote: > That's exactly what I'm wondering: does the cflogin cookie include all > the info (username/password) needed to (automatically) > (re)authenticate the user on a server if he previously authenticated > on another server? To reply to my own question: it looks like that the cflogin cookie includes the username/password info (I think it's base64 encoded), when jumping from one server to another, the user is already logged into the second server. Now I'm hitting a weird issue with cflogin, someontimes after using my app for a few time, I'm logged out automatically, I cannot reproduce the issue in a consistent way, but it happens once in a while. Any idea? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235994 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cflogin and load balancing
On 3/21/06, Dave Watts <[EMAIL PROTECTED]> wrote: > If you use round-robin DNS, it is unlikely that the user will be sent to one > server, then another. When the user attempts to connect initially, the DNS > server will issue one IP address, and that IP address will be cached for > some time by the client. Even if that first server fails, the user will not > be sent to another server. Most probably we'll be using a very low TTL, so there is a chance that an user will hit jump from a server to another: even if most browsers just cache the IP address and ignore the TTL, that may be not true for all. > Aside from that, though, I don't think there's any way to share CFLOGIN data > without associating it with the Session scope, and sharing that across the > servers. This would require CF clustering. When you use the CFLOGIN tag, it > does write a cookie which contains something, but I don't know if it > contains everything that is set by CFLOGINUSER. That's exactly what I'm wondering: does the cflogin cookie include all the info (username/password) needed to (automatically) (re)authenticate the user on a server if he previously authenticated on another server? Anyone tried this? Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235907 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: cflogin and load balancing
> The user will have to login, before being able to use any > feature of the application. > > I was thinking to use the CF security framework (cflogin, > etc.) to manage authentication and authorization for my > application. > > Most probably the application will reside on several web > servers and the load balancing technique will be simple DNS > round robin. > > So there is chance that an user will login to server1 and his > next request will be to server2. > > I think that server2 won't automatically figure out that the > user already logged in on server1 and it will require him to > login again. > > What is the easiest way to have the all servers share the > cflogin info and prevent re-login when jumping from one > server to another? > > This is a very simple application and I'd prefer to avoid > full blown CF clustering if possible. If you use round-robin DNS, it is unlikely that the user will be sent to one server, then another. When the user attempts to connect initially, the DNS server will issue one IP address, and that IP address will be cached for some time by the client. Even if that first server fails, the user will not be sent to another server. Aside from that, though, I don't think there's any way to share CFLOGIN data without associating it with the Session scope, and sharing that across the servers. This would require CF clustering. When you use the CFLOGIN tag, it does write a cookie which contains something, but I don't know if it contains everything that is set by CFLOGINUSER. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235885 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
cflogin and load balancing
Hi all, I'm working on a simple ColdFusion application. The user will have to login, before being able to use any feature of the application. I was thinking to use the CF security framework (cflogin, etc.) to manage authentication and authorization for my application. Most probably the application will reside on several web servers and the load balancing technique will be simple DNS round robin. So there is chance that an user will login to server1 and his next request will be to server2. I think that server2 won't automatically figure out that the user already logged in on server1 and it will require him to login again. What is the easiest way to have the all servers share the cflogin info and prevent re-login when jumping from one server to another? This is a very simple application and I'd prefer to avoid full blown CF clustering if possible. Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:235877 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CFlogin & form action cfc?
Ok, this was fixed by correcting the applicationtoken parameter. What does this parameter really do? I've not bothered with it much before, and the docs don't say much about it. Applicationtoken Optional The current application name Unique application identifier. Limits the login validity to one application, as specified by the cfapplication tag or the Application.cfc file. So what is this doing under the hood? -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Soduko | | | - "C code. C code run. Run code run. Please!" - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:234900 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
