tracker issue : CF-3339008

select a category, or use search below
(searches all categories and all time range)
Title:

Change in behavior CF9 to CF10 in user authentication associated with session

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Joseph Lamoree / Joseph Lamoree (JosephLamoree)

Created: 09/28/2012

Components: Security

Versions: 10.0

Failure Type: Unspecified

Found In Build/Fixed In Build: Final / 284805

Priority/Frequency: Trivial / All users will encounter

Locale/System: English / Win All

Vote Count: 12

Problem Description:
An application that allows a user to login from multiple locations no longer works in ColdFusion 10. It seems that there is now a strict one-to-one relationship between a username and session. When userZ performs login from computerA, all the roles are stored correctly. If userZ performs login from computerB, all the roles are stored correctly. However, the authenticated session on computerA is no longer valid.

Steps to Reproduce:
Attached is a simple test case to show the problem. The same CFML application will allow simultaneous user sessions in ColdFusion 9; it will forbid concurrent authenticated users in ColdFusion 10.

Actual Result:

Expected Result:

Any Workarounds:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3339008

External Customer Info:
External Company:  
External Customer Name: JosephLamoree
External Customer Email:  
External Test Config: My Hardware and Environment details:

I tried this in both ColdFusion 10 32-bit and ColdFusion 10 64-bit, both running in Tomcat containers. I compared this against a stock ColdFusion 9 multi-server installation in JRun.

Attachments:

  1. September 29, 2012 00:00:00: 1_userroles.zip

Comments:

This is a major issue!
Comment by External U.
17802 | September 29, 2012 12:25:55 PM GMT
This is a major issue. I didn't see this change noted anywhere in CF10's documentation.
Vote by External U.
17810 | September 29, 2012 12:26:32 PM GMT
By using the following flag -Dcoldfusion.session.protectfixation=false the behaviour can be reverted to CF9 behaviour. However, caution must be taken to ensure you have tested your application against session fixation vulnerability. (Comment added from ex-user id:hkhandel)
Comment by Adobe D.
17803 | September 30, 2012 08:08:14 PM GMT
Hemant, we need to find a happy middle path. As an example, when doing automated QA testing, you often have Selenium or JMeter logging in multiple times, sometime from multiple computers, running tests using a single login. Creating 20 different logins for a 20 simultaneous user test is harder to manage. This is also concern if you have an app where users share logins. At the same time, addressing session fixation is definitely a concern. I would hate for it to be binary choice... either you have the protection or you don't.
Comment by External U.
17804 | October 01, 2012 09:09:42 AM GMT
Setting the coldfusion.session.protectfixation system property to false has no effect on the problem. I added some code to the demonstration application to set and retrieve values stored in the session scope. Upon one browser forcing another browser's authentication to be lost, the session remains in tact for both browsers. The session ID generated by Tomcat does not change. We use ColdFusion configured to use J2EE sessions, however the problem exists regardless of whether this option is on or off. I can confirm that having the CFAUTHENTICATION data stored in a cookie vs. session makes no difference.
Comment by External U.
17805 | October 01, 2012 02:17:19 PM GMT
+1. According to Shilpi on Twitter this is by design, but it's a major backwards compat issue. Needs to be modified so this behaviour is a) optional; b) off by default; c) not controlled at JVM level.
Vote by External U.
17811 | October 02, 2012 12:39:57 AM GMT
@JosephLamoree, thanks very much for logging this! @Sami, I recall we discussed concurrent logins before. Additionally, I've added comments on Shilpi's cflogin blog entry: http://blogs.coldfusion.com/post.cfm/new-improved-cflogin. I've also logged ER #CF-3339701 detailing my idea for a "a happy middle path" :) Thanks, -Aaron
Comment by External U.
17806 | October 02, 2012 01:46:50 AM GMT
+1, a large number of popular sites (including Facebook.com, Adobe.com, Wikipedia.org, etc) support concurrent logins. This feature is a must in today's multi-monitor, multi-device world.
Vote by External U.
17812 | October 02, 2012 01:49:35 AM GMT
These sites support concurrent logins: - yahoo.com - facebook.com - google.com - aol.com - msn.com - ebay.com - live.com - twitter.com - amazon.com - wikipedia.org - youtube.com - adobe.com - myspace.com
Comment by External U.
17807 | October 02, 2012 01:51:03 AM GMT
We use multiple and concurrent logins to test applications via server side. Restricting it to one single login just doesn't make any sense, yes?
Vote by External U.
17813 | October 02, 2012 03:19:55 PM GMT
It's as if you're pulling for your own platform to fail by bringing it back into the stone age. Fix this.
Vote by External U.
17814 | October 02, 2012 07:40:08 PM GMT
Vote must be between 25 and 4000 characters.. who cares.
Vote by External U.
17815 | October 03, 2012 05:17:00 PM GMT
Adobe used to boast that code written for CF4 would still run, and that backwards compatibility has always been the gold standard - it's why we can't fix array/struct loop constructions using index when they mean item apparently. So this should be rolled back or changed to be off by default,
Vote by External U.
17816 | October 08, 2012 07:20:33 AM GMT
I recently installed Coldfusion 10.When i login from first ie browser it logs me in and when i try to login from another ie browser it is throwing me out that there is active session which doesnt happen in CF9.I noticed that CFTOKEN is not genearating new token when i try login from second browser
Vote by External U.
17817 | October 15, 2012 09:02:18 PM GMT
I vote for the behaviour to revert to that of ColdFusion 9. If the user cannot use 2 identical login credentials at the same time, then he wont be able to open distinct parts of a ColdFusion application on 2 separate machines. However, this is a use-case that occurs frequently.
Vote by External U.
17818 | October 16, 2012 03:48:49 AM GMT
The Java flag Hemant Khandelwal suggested doesn't seem to make any difference. I am on 64 bit Win 7 and CF10. I used IE9 and Firefox 16 to test. When I logged in in Firefox, the session I had created in IE using the same credentials was terminated. I went back to IE and logged in, again using the same credentials. That terminated the session in Firefox. This happened with or without the Java flag. Restarting the server didn't help.
Comment by External U.
17808 | November 02, 2012 04:46:09 AM GMT
Our company has also been negatively impacted by this in our upgrade from CF8 to CF10. Please get a working remedy in place!
Vote by External U.
17819 | December 14, 2012 02:37:36 PM GMT
For a non-JVM workaround, please see John Jarrard's post here: http://blogs.coldfusion.com/post.cfm/new-improved-cflogin Direct link: http://blogs.coldfusion.com/post.cfm/new-improved-cflogin#comment-B2D1646B-AD5C-C533-9FE6A522771C9AF5 Of course, backward-compat is broken and still needs _properly_ fixed. Thanks, -Aaron
Comment by External U.
17809 | February 05, 2013 01:10:14 PM GMT
Please fix this. By default the cflocation tag appends CFIDE and CFTOKEN parameters which our users save into their bookmarks. Because ColdFusion isn't always smart enough to ignore those tokens when it should, the new system of only allowing a single login effectively logs our users out of their existing session when they access a bookmark. This is a MAJOR feature change and should've been announced somewhere. And it's a feature change for the worse. Please revert.
Vote by External U.
17820 | March 31, 2013 12:12:00 PM GMT
Backwards compatibility issue. Nice feature to have if it's desired. Please make this an optional setting.
Vote by External U.
17821 | May 10, 2013 05:26:42 PM GMT