I am using web server authentication to authenticate users entering my site.
I am then using cflogin and queries to authorize their access.
I am seeing problems. If I allow a cflogout tag to process it gets rid of
the users roles just fine... But it does not trigger the cflogin tag to run
the authorization queries again. This seems to be related to the cflogin
tag's idletimeout attribute and maybe a caching behavior that I can see
evidence of, but have no idea exactly how its happening.
I want to match the cflogin idletimeout to my session timeout. I am setting
some session variables inside the cflogin tag, for site personalization uses
mainly. If I expire the session variables early then I am finding that the
cflogin tag is never re-activating, thus resetting the session variables...
Even if the user closes their browser and goes through the web server
authentication process again.
Lets say that I decide never to allow the session variables to be cleared
and they only expire naturally ... And lets also assume that I don't use a
cflogout tag and let the login timeout expire naturally. Then I am still
seeing a problem when the user closes the browser and re-authenticates
through the web browser popup. Using a *different* username and password,
the cflogin tag still does not run and the session variables remain set to
the last entered. Not good.
For sh**s and giggles, I set the cflogin timeout value to 1 second. This
works. The cflogin tag *always* runs the code between its [cflogin] and
[/cflogin] tags (pretty much, you've got to be a fast clicker for it not to)
and as such always pickes up the newest and best info. Great. But I
shouldn't have to run the cflogin tag every time, should I? This is why it
seems to me that the cflogin tag is caching the info somehow. I have known
about the problem with using application authentication and naming your
formfields j_username and j_password. I ran into that problem months ago.
Yet, since I'm using web auth, that ain't my problem.
One thing to note: In my code I have a condition that fires when the user's
does NOT pass authorization. I display a particular template. This
template always seems to display when it should, regardless of the cflogin
timeout, cflogout tag or what have you. So, the cflogin tag itself works...
I just can't get the crap in the middle to run when I think it should unless
I set the timeout to 1 second.
Here is a simplified version of my code (original cflogin timeout included).
[!--- Process the login---]
[cflogin idletimeout="86400"]
[cfif IsDefined( "cflogin" )]
[!--- Check for user in database.
Find roles of the authenticated user. ---]
[cfquery name="authorize" datasource="#request.dsn#"]
... Stuff ...
[/cfquery]
[cfdump var="#authorize#" label="Authorization"]
[cfif authorize.recordcount neq 0 and authorize.deptCount neq 0]
[h3]This is where the session variables should be set[/h3]
[!--- Initialize session variables for personalization and
app security ---]
[cfset structclear(session)]
[cfparam name="session.cuserid"
default="#authorize.cuserid#"]
[cfparam name="session.userfullname"
default="#trim(authorize.userfullname)#"]
[cfparam name="session.useremail"
default="#authorize.email#"]
[cfparam name="session.rolename"
default="#authorize.rolename#"]
[h3]Set User roles[/h3]
[cfloginuser name="#cflogin.name#"
password="#cflogin.password#" roles="#authorize.roleName#"]
[cfelse]
[!--- user not found, deny access to site ---]
[cfinclude template="accessdenied.cfm"]
[cfabort]
[/cfif]
[cfelse]
[!--- this should never happen ---]
[h4]Authentication data is missing.[/h4]
[cfabort]
[/cfif]
[/cflogin]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Signup for the Fusion Authority news alert and keep up with the latest news in
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
