tracker issue : CF-3628944

select a category, or use search below
(searches all categories and all time range)
Title:

ColdFusion 10 Application Based User Authentication is Broken

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/NotABug

Reporter/Name(from Bugbase): Maxwell Donnelly / Maxwell Donnelly (Max Donnelly)

Created: 09/09/2013

Components: Security

Versions: 10.0

Failure Type: Non Functioning

Found In Build/Fixed In Build: Final /

Priority/Frequency: Major / Some users will encounter

Locale/System: English / Win 2008 Server R2

Vote Count: 1

Problem Description: Using Adobe's own example code fails to successfully login a user.

Steps to Reproduce: Deploy Adobe's Application Based User Security Example on ColdFusion 10 server, and test. http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24-7c30.html

Actual Result: User login fails to create cfauthentication_appname session, and user is not logged in.

Expected Result: Successful login

Any Workarounds: None.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3628944

External Customer Info:
External Company:  
External Customer Name: Max Donnelly
External Customer Email:  
External Test Config: My Hardware and Environment details: 

ColdFusion Enterprise 10,0,11,285437

Tomcat Version: 7.0.23.0

Operating System: Windows Server 2008 R2

OS Version: 6.1

Update Level: .... chf10000011.jar

Adobe Driver Version: 4.1 (Build 0001)

IIS Version: 7.5

Attachments:

Comments:

Cross reference to issue as reported on StackOverflow - http://stackoverflow.com/questions/18680629/coldfusion-8-to-coldfusion-10-migration-cfloginuser-not-working-as-expected
Comment by External U.
14566 | September 09, 2013 01:53:55 PM GMT
We have tried with the example application given in the adobe's documentation and we are unable to reproduce the issue. We have tested with both coldfusion 10 latest update and coldfusion 10,0,11,285437 as well. Please provide us with the code you have used for both coldfusion 8 and coldfusion 10 for further investigation.
Comment by S V.
14567 | January 23, 2014 12:33:29 AM GMT
This is a serious Issue as we are encountering this too often and many of our websites uses GetAuthUser and isUserinRole Functionalities
Vote by External U.
14571 | February 08, 2014 11:45:17 PM GMT
Hi Max, I'm having the same issue. I can follow up with the bug if you are really busy? Would you submit your code from these two sites: Test Site ColdFusion 8: http://cf8loginadobe.cimhost.com/securitytest.cfm Test Site ColdFusion 10: http://cf10loginadobe.cimhost.com/securitytest.cfm aeverett, the at sign, then hot mail, then dot com
Comment by External U.
14568 | February 24, 2014 03:04:13 PM GMT
I emailed you the files on Feb. 24. Please let me know if I can help in any other way.
Comment by External U.
14569 | February 26, 2014 07:03:21 PM GMT
I am able to reproduce the issue after adding the provided logout.cfm logic in the adobe’s documentation example. This issue happens because of manually clearing cookies. One of the reason this issue was introduced because of the newly added attribute ‘preserveCase’ which is by default set to false. When preserve case is set to false the cookie name will always be uppercased and set in the response. The Auth cookie created for the user application is CFAUTHORIZATION_peACEqDev. After calling the <cflogout> tag sets this cookie max-age to zero so that browser can delete it. But when user is manually deleting the cookies using CFCookie tag the cookie name becomes CFAUTHORIZATION_PEACEQDEV and results in a new cookie. Also in CF10 we cannot manually set expires to the cookies (CFID,CFToken and Auth cookie). Check the bug CF-3182493 which was fixed in CF11. There by the expires attribute of new cookie CFAUTHORIZATION_PEACEQDEV is set -1 (becomes session cookie and stays in the browser). CFLOGIN while doing authentication checks for the auth cookie in case-insensitive manner there by it always picks up this new cookie (CFAUTHORIZATION_PEACEQDEV) ignoring the correct auth cookie (CFAUTHORIZATION_peACEqDev) which results in authentication loss. Workaround: While clearing the cookies ignore the Auth cookie as it was already deleted by the CFLOGOUT tag. And for clearing the CFID and CFTOKEN cookies use the cfheader tag as specified in the bug CF-3182493. <cfloop item="name" collection="#cookie#"> <cfif (name IS "CFID" || name IS "CFTOKEN") > <cfheader name="set-cookie" value="#name#=;path=/;expires=#GetHttpTimeString(DateConvert("local2utc",now()))#"> <cfelseif NOT name.startsWith("CFAUTHORIZATION_")> <cfcookie name="#name#" value="" expires="now"/> </cfif> </cfloop> The given logout.cfm file contains Logout.cfm <cflogout> <cfif IsDefined("session")> <cfset temp = StructClear(session)> </cfif> <cfloop item="name" collection="#cookie#"> <cfcookie name="#name#" value="" expires="now" /> </cfloop>
Comment by S V.
14570 | March 06, 2014 06:15:37 AM GMT