Folks, ColdFusion Server is broken with respect to the CFLOGIN security framework working on a clustered system with failover. The reason is that the authentication cookie contains the authentication information but not any authorization (roles) information. The authorization information is stored locally only on the server on which CFLOGINUSER was called, but not in the Session scope, so this information never gets synidcated to the other machines.
This is the reason why we've switched to BlueDragon.NET. When we discovered this issue on our hardware load balanced cluster in our load testing lab, we contacted New Atlanta and within *hours* they sent us a new build that solved the problem (it's also in their two previous hotfixes). So unless I've missed something in the latest build of the Adobe product, BlueDragon.NET (and I believe its other flavors, too) is the only CFML processor that works on a cluster with failover at the present time. BTW, we also use ScaleOut StateServer as the session syndication mechanism, which lets us scale *way* out without loss of performance. Respectfully, Adam Phillip Churvis Certified Advanced ColdFusion MX 7 Developer http://www.ProductivityEnhancement.com Download Plum and other cool development tools, and get advanced intensive Master-level training: * C# & ASP.NET for ColdFusion Developers * ColdFusion MX Master Class * Advanced Development with CFMX and SQL Server 2000 ----- Original Message ----- From: "wolf2k5" <[EMAIL PROTECTED]> To: "CF-Talk" <[email protected]> Sent: Thursday, March 23, 2006 12:56 PM Subject: Re: cflogin and load balancing > On 3/23/06, Dave Watts <[EMAIL PROTECTED]> wrote: > > Yeah, I didn't get around to testing this, but I would have really been > > surprised if this were true. > > But I still wonder why the cflogin cookie includes the full login info > (username/password base64 encoded), what does it need to then? > > > Build your own login mechanism and have it store information in the > > database. You could do this using the Client scope or just write the whole > > thing yourself. > > I think I'll go with the Client scope, anything I should pay attention > to to make sure the application is secure and works well? > > Thanks. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236075 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
