Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers

Webmaster Forum / ColdFusion / General CF Topics / August 2008


Tip: Looking for answers? Try searching our database.

CFLOGIN not maintaining cfauthrization session variable

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
tikadog - 28 Aug 2008 22:21 GMT
I have a simple CF web site where all of the .cfm is in the same directory.  I
can not use client cookies as the people I am writing this for have cookies
turned off in IE, therefore I am using J2EE session variables and CFLOGIN in an
application.cfm file (code attached) for authentication.  Everything works
correctly during login and I can see the encrypted username/password as the
cfauthorization session variable....
Session Variables:
cfauthorization=Y3BkYWRtaW46cmVwb3J0ODQzOmNwZA==
sessionid=c23059df643c42544069
urltoken=CFID=783&CFTOKEN=91556252&jsessionid=c23059df643c42544069

Once I try to browse to another cfm page on the site, I get booted back to the
index.cfm login page.  After some digging I figure out that the cfauthorization
variable was blank after I click on the link, which as I understand it
indicates that I am not logged in and the    
<cfif not IsDefined("cflogin")>
        <cfinclude template="index.cfm">
        <cfabort>
code in the application.cfm sends me back to the login page.

I have confirmed that using valid credentials causes <cfif cpdauth.recordcount
GT "0"> to return true.

Any idea as to why my session authorization is not being maintained between
pages?  Or if I am completely off base as to the reason this is
happening.....and if so, what am I doing wrong.

Thanks
Greg

<CFApplication sessionmanagement="Yes" loginstorage="Session" name="cpd">

<cfif isDefined("url.logout") AND url.logout>
    <cflogout>
</cfif>

<cflogin>
    <cfif not IsDefined("cflogin")>
        <cfinclude template="index.cfm">
        <cfabort>
    <cfelse>
      <cfif cflogin.name IS "" OR cflogin.password IS "">
         <cfoutput>
            <H2>You must enter text in both the User Name and Password
fields</H2>
         </cfoutput>
         <cfinclude template="index.cfm">
         <cfabort>
    <cfelse>
        <CFQUERY DATASOURCE="cpdwt" NAME="cpdauth">
        SELECT * FROM auth
        WHERE Password = '#cflogin.password#' and username = '#cflogin.name#'
        </CFQUERY>
     <cfif cpdauth.recordcount GT "0">
            <cfloginuser name="#cflogin.name#" Password = "#cflogin.password#"
               roles="#cpdauth.Role#">
            <cfset session.role=cpdauth.role>
            <cfset session.User=cflogin.name>
            <cfset session.Pass=cflogin.password>
         <cfelse>
            <cfoutput>
               <H2>Your login information is not valid.<br>
               Please Try again</H2>
            </cfoutput>  
            <cfinclude template="index.cfm">
            <cfabort>
         </cfif>
      </cfif>  
   </cfif>
</cflogin>
Reply to this Message
Bluetone - 29 Aug 2008 03:58 GMT
Without cookies you have to track state via the URL.  Google URLSessionFormat for more details.

There are security issues here so you might need to encrypt the session ID etc.

Cheers!
Reply to this Message
BKBK - 29 Aug 2008 06:09 GMT
Your login code seems to be fine. You yourself are already aware that you have
to have a way to pass-the-baton between requests, to maintain a session.

The usual way Coldfusion maintains sessions is to send CFID and CFTOKEN
cookies to the client browser. That happens automatically under the hood,
assuming you haven't switched [i]setClientCookies[/i] off.

For session management by means of cookies, I would use a cfapplication tag
like

<cfapplication name = "cpd"                          
applicationTimeout = "#createTimespan(1,0,0,0)#"                              
                 
sessionManagement = "yes"  
clientManagement = "yes"                      
sessionTimeout = "#createTimeSpan(0,0,20,0)#"    
setClientCookies = "true"
scriptprotect="all"
loginstorage="Session">

However, all of that assumes that the client browser accepts cookies. Where it
doesn't, the usual way to maintain sessions is to pass CFID and CFTOKEN values
in the URL of every request. In fact, the function that Bluetone's suggests,
http://livedocs.macromedia.com/coldfusion/7/htmldocs/00000660.htm, makes the
process efficient. It instructs Coldfusion to append CFID and CFTOKEN to the
URL only when the client doesn't accept cookies. Which means Coldfusion would
still be using cookies wherever possible. Some examples

<a href="#URLSessionFormat('orders.cfm')#">My orders</a>

<cfform method="Post" action="#URLSessionFormat("MyActionPage.cfm")#">
</cfform>

<cflocation url = "products.cfm" addToken = "yes">
Reply to this Message
tikadog - 29 Aug 2008 14:27 GMT
Thanks, URLsessionformat worked like a charm.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.