> What 'auth_user'? The result of getAuthUser() you mean?
>
Yeah, the authentication token that shows up in cgi.auth_user...
>
> So, even if you logout - you can't login as someone else? Does your
> logon form show up if you close your brower and return? Ie, the system
> _at least_ know that you need to logon, but when you logon as B, it
> thinks you are still A?
>
well, not the login "form", but the login prompt that is thrown by the
web server. I do log on as B, and the browser seems to know I'm B (the
cgi.auth_user variable has changed), but it looks like the query to
check and see if B is in my database never actually ran... which kind
of makes me think that somewhere, something that I can't see is hanging
onto A. And since I can stop the behavior when I nullify idleTimeout
by setting it to 1...
>> But.
>>
>> If my idletimeout was set to something "normal" like say 500
>> seconds,
>> and after logout I closed my browser, entered brand new
>> information in
>> the server prompt and the user was not located in my database, they
>> would see the "you failed" template as expected.
>
> I'm confused. You said the situation was bad if idleTimeout was not 1,
> yet 500 is not 1 either.
Sorry. I was just speaking in general terms in the first instance and
getting specific in the second. The main point stays the same, though.
IdleTimeout=1 is Good. IdleTimeout >1 is Bad.
> Can you post the entire code block? Not everything of course, I don't
> need to see the HTML of your logon form, but you get the idea.
I don't have a logon form. I'm letting the server do the
authentication. All I do authorize after that. No HTML login at all.
This is why I think what I'm experiencing is loads different from much
of the advice I've gotten before, because I'm using server auth NOT
home-grown-HTML auth.
Auth = server window prompt
Authorize = coldfusion query that matches the cflogin.name value to my
database.
As it is I gave you all of the code that deals with the login, but
here's the entire application.cfm for what it's worth.
**********************************************
<!--- Application.cfm --->
<cfsilent><!--- --->
<cfapplication name="CAER"
clientmanagement="no"
sessionmanagement="yes"
setclientcookies="yes"
setdomaincookies="no"
sessiontimeout="#CreateTimeSpan(1,0,0,0)#"
/>
<cfscript>
//structclear(application);
//structclear(session);
//structdelete(session, "buildprotocol");
//structdelete(session, "buildsae");
request.dsn = "gt_caer";
request.site_root = "https://irbtest.georgetown.edu/caer";;
request.includes_path = request.site_root & "/includes";
request.customtags_path = "/caer/customtags";
request.css_path = request.site_root & "/styles";
request.images_path = request.site_root & "/images";
request.components_path = "CAER.Components";
if (not isdefined("application.cachetimespan")) {
application.cachetimespan = CreateTimeSpan(1,0,0,0);
} else {
if (isdefined("application.resetcachetimespan")) {
application.cachetimespan = application.resetcachetimespan;
structdelete(application, "resetcachetimespan");
}
}
if (not isdefined("application.rsaemail")) {
application.rsaemail = "[EMAIL PROTECTED]";
}
dologin = 1; //For Development purposes, allows me to turn off
application login
doquery = 1;
//Param the message structure
//TBD: Look into developing the whole message thing into a component
since I use it everywhere
stmessage = structnew();
stmessage.type="";
stmessage.text="";
stmessage.extendtext="";
stmessage.arFixit = arraynew(1);
// Research says that MX shared scope variables need not be locked.
// Cast messages meant for this page that are stored in session scope
into local scope
// This is used when I send messages to this page during a relocation
from another
if (isdefined("session.stmessage")) {
if (structkeyexists(session.stmessage,
getFileFromPath(cgi.SCRIPT_NAME))) {
if (not
structkeyexists(session.stmessage[getFileFromPath(cgi.SCRIPT_NAME)],
"arFixit")) {
session.stmessage[getFileFromPath(cgi.SCRIPT_NAME)].arFixit =
arraynew(1);
}
stmessage =
session.stmessage[getFileFromPath(cgi.SCRIPT_NAME)];
structdelete(session.stmessage,
getFileFromPath(cgi.SCRIPT_NAME));
}
}
</cfscript>
<!--- Research says the MX shared scope variables don't need to be
locked.--->
<!--- Retain a query of the IRB users and their emails --->
<cfquery name="appcfm_irbusers" datasource="#request.dsn#"
cachedwithin="#createtimespan(1,0,0,0)#">
Select u.email, u.firstname + ' ' + u.lastname as fullname
from cuser u, role r
Where
u.roleid = r.roleid AND
r.roleName Like '%IRB%'
</cfquery>
<!--- Use session.stmessage only to send messages between pages,
usually in conjunction with cflocation --->
<cfparam name="session.stmessage" default="#structnew()#">
<!--- Process the logout--->
<cfif isdefined("url.logout") or isdefined("form.logout")>
<!--- Clear aditional information. The cookies probably don't need to
go. --->
<cfcookie name="CFAUTHORIZATION_CAER" expires="now">
<cfcookie name="CFID" value="" expires="now">
<cfcookie name="CFTOKEN" value="" expires="now">
<cfcookie name="JSESSIONID" value="" expires="now">
<cfset structclear(session)>
<cflogout>
</cfif>
<!--- Process the login--->
<cfif doLogin>
<cflogin idletimeout="1">
<cfif IsDefined( "cflogin" )>
<!--- Check for user in database. Find roles of the
authenticated
user.
User must also belong to an
Institution and be assigned to at
least one department --->
<cfquery name="authorize" datasource="#request.dsn#"
cachedwithin="#createtimespan(1,0,0,0)#">
Select u.cuserid, u.netid, u.firstname + ' ' +
u.lastname as
userfullname, u.email, u.title, u.telephone, u.instid, u.roleid,
r.rolename, i.institution, count(deptid) as deptCount
From cuser u
Inner Join role r on u.roleid = r.roleid
Inner Join institution i on u.instid = i.instid
Left Outer Join cuser_dept cd on u.cuserid = cd.cuserid
Where netid='#cflogin.name#'
Group By u.cuserid, u.netid, u.firstname, u.lastname,
u.email,
u.title, u.telephone, u.instid, u.roleid, r.rolename, i.institution
</cfquery>
<!--- For now, we are not allowing people access if they
haven't
been specifically assigned to any departments. This might need to
change in the future. --->
<cfif authorize.recordcount neq 0 and authorize.deptCount neq
0>
<!--- Initialize session variables for personalization
and app
security --->
<cfscript>
session.cuserid = authorize.cuserid;
session.userfullname =
trim(authorize.userfullname);
session.useremail = authorize.email;
session.rolename = authorize.rolename;
</cfscript>
<cfloginuser name="#cflogin.name#"
password="#cflogin.password#"
roles="#authorize.roleName#">
<cfelse>
<!--- user not found, deny access to site --->
<cfinclude template="accessdenied.cfm">
<cfabort>
</cfif>
<cfelse>
<!--- this should never happen --->
<p><strong> Authentication data is
missing.</strong></p>
Try to reload the page or contact the site
administrator.
<cfabort>
</cfif>
</cflogin>
<cfelse>
<!--- For Development Purposed Only --->
<cfparam name="session.cuserid" default="10000003">
<cfparam name="session.userfullname" default="Patricia Lee">
<cfparam name="session.useremail" default="[EMAIL PROTECTED]">
<cfparam name="session.rolename" default="">
</cfif>
<cfif cgi.script_name contains "/admin/">
<cfobjectcache action="clear">
</cfif>
<cfscript>
/* Even though the MX session scope does not need locking, I still
feel more comfortable
casting the purely personalization session values into the request
scope*/
request.cuserid = session.cuserid;
request.userfullname = session.userfullname;
request.useremail = session.useremail;
request.roleName = session.roleName;
</cfscript>
</cfsilent>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
