New & Improved CFLogin

February 28, 2012 / Shilpi Khariwal 23 Comments

  Caching | Security | ColdFusion

With ColdFusion 10 CFlogin is improved and more secure. The Authorization associated with cflogin for loginstorage"cookie" is much secure. The Authorization cookie,

· Is set to have a short time to live.

· Now it expires by default on browser close and this can be configured using cookie settings discussed before.

· It is by-default set to be on HttpOnly for CF admin console. For other applications, there is provision to configure

There are however some behavioral changes. Read here for further information.

Sample Auth-ehcache.xml

 


23 comments so far ↓

  • 1 Raymond Camden // Feb 28, 2012 at 8:17 AM
    My biggest issue with cflogin is one of it's features - web auth integration. Imagine an application like BlogCFC. It is meant to be deployed on your server. Now imagine the entire server is locked down with Apache's security system.

    Right now cflogin will notice that and assume you are logged in. But for BlogCFC, you aren't "really" logged in.

    I get that it is a feature, and it makes sense, but I wish cflogin had a way to ignore any HTTP-based auth.
  • 2 Arun // Feb 28, 2012 at 10:53 PM
    Would you be able to provide an example? Thanks.
  • 3 Shilpi Khariwal // Mar 1, 2012 at 5:36 AM
    Hi Arun, Example of cflogin?
  • 4 Shilpi Khariwal // Mar 1, 2012 at 5:37 AM
    Hi Ray,

    Have you raised an ER for this? if no, please do it. We will look into this.
  • 5 Raymond Camden // Mar 1, 2012 at 6:24 AM
    Oh yeah, I did. :) Couldn't find it though so refiled as 3127780
  • 6 Shilpi Khariwal // Mar 1, 2012 at 6:26 AM
    Cool. Thanks.
  • 7 ib // Mar 13, 2012 at 12:09 AM
    Wouldnt having another application for blog cfc fix this issue
  • 8 Aaron Neff // Jun 2, 2012 at 12:18 AM
    Shilpi,

    My biggest issue is CF10 breaks multi-browser login ability.

    If user logs into application in browser #1, and then logs into application in browser #2, then user is logged out at browser #1.

    That's a problem for users that use multiple machines while they work w/ an application.

    I hope this can be considered, please.

    Thanks,
    -Aaron
  • 9 Aaron Neff // Jun 2, 2012 at 12:23 AM
    Hi Shilpi,

    I forgot to say thank you for the enhancements to cflogin, btw. They are helpful. I just wish simultaneous login ability could be restored, or a per-App setting to allow it.

    Thanks again!,
    -Aaron
  • 10 Raymond Camden // Jun 2, 2012 at 5:43 AM
    I don't know, man. That sounds like a security thing to me. Most users don't need 2 browsers to tests logins. We (devs) are the exception. I'd say this is probably a good thing. (If I'm right about why.)
  • 11 Aaron Neff // Jun 2, 2012 at 6:20 PM
    Hi Ray,

    Thanks for the follow-up btw.

    Here's the issue: End-users have 2+ computers. Pre-CF10, users could utilize their multiple computers to work more efficiently w/ a cflogin-protected app.

    Example: Company provides employee(s) w/ a travel laptop which sits on their desk, next to their desktop monitor. Or company provides employee(s) w/ 2 desktop computers, each with dual-monitors.

    These are a real situations I'm dealing w/. Not something I'm making up =P IMO, single-session cflogin vs multi-session cflogin should be an application concern (not something dictated by the server). It breaks backward-compat w/ user efficiency and productivity. Others agree w/ me, but sadly I cannot detail the conversations here.

    Thanks,
    -Aaron
  • 12 Raymond Camden // Jun 2, 2012 at 7:34 PM
    I think the situation of a user with 2 machines, where one is a laptop, isn't critical here. They wouldn't be using both at once (normally). As for the situation of 2 desktop computers, I've _never_ seen that. I mean, I'm sure it exists, but I doubt it is the norm. My point isn't that it wouldn't exist - some people would have 2+ computers in use in their office - but that the _normal_ user would not, and this type of protection (*) make sense.

    * And to be clear, I'm not saying that's why cflogin is blocking the dual login - I'm still just guessing.
  • 13 Aaron Neff // Jun 3, 2012 at 12:07 AM
    Hi Ray,

    By laptop beside desktop, I was referring to one of these companies here: en.wikipedia.org/wiki/List_of_companies_by_revenue

    I understand those companies aren't the norm. But what about this list of sites that supports dual-login? I believe most of these also cater to the 'normal' user:

    - yahoo.com
    - facebook.com
    - google.com
    - aol.com
    - msn.com
    - ebay.com
    - live.com
    - twitter.com
    - amazon.com
    - wikipedia.org
    - youtube.com
    - adobe.com
    - myspace.com

    Also, there is at least 1 financial institution in the top 20 of the Fortune 500 which supports dual-login.

    It looks like dual-login support is actually the norm.

    Thanks,
    -Aaron
  • 14 Shilpi Khariwal // Jun 3, 2012 at 1:30 AM
    Hi Aaron/Ray,

    We have an ER logged for this. We will evaluate it. Having said that, i am personally not a fan of multiple logins and specially without notification. Multiple logins might give a privilege to bad user to work simultaneously.

    Thanks,
    Shilpi
  • 15 Raymond Camden // Jun 3, 2012 at 7:56 AM
    Aaron, I'm not sure why you want me to look at the list of companies. Are you saying every one of them gives each employee two machines to work on at the same time? Again - I may not go to many offices - but I've yet to see that.

    As to the list of sites supporting it - I'd still argue that most of their clientele aren't actually doing that.

    Anyway - to me - I think if you want this - just don't use cflogin.
  • 16 Aaron Neff // Jun 3, 2012 at 10:32 AM
    Hi Ray,

    Regarding the Wikipedia list of copmanies: I was just saying that the company w/ the laptop+desktop scenario is one of the top 200 companies in the world based on revenue. (I provided a link to that list which includes ALL of the top-200 only b/c I probably shouldn't be specifically naming which company.) Certainly those companies aren't the norm, I do agree of course. And I agree that most office workers would have only 1 computer.

    Regarding the list of sites: I agree that most users of sites such as yahoo, facebook, aol, youtube would not be logging in via multiple browsers. I know it sometimes happens w/ ebay tho, they'd have a friend or family member on another computer trying to help win an auction. And I've seen it w/ Google too, b/c Google offers so many services, so they might have Google Docs open on one computer and then quickly check their Gmail on their tablet or another computer, and still be signed into Google Docs on the 1st computer.

    Hi Shilpi,

    Thank you. I _do_ like the single-login ability that we now have in CF10. My point is that the application developer should have an *option* to use that feature or to use the multi-login. I'm just saying, IMO, that it should be a 'choice'.

    And regarding telling people to not use cflogin if they want multi-login ability.. well, it's a backward-compat thing. I'm saying that there are existing apps that rely on multi-login. So means code rewrite when I don't feel it should be necessary.

    Thanks,
    -Aaron
  • 17 Aaron Neff // Jun 3, 2012 at 12:29 PM
    Hi Shilpi,

    Regarding "[...]specially without notification. Multiple logins might give a privilege to bad user to work simultaneously."

    Can <cflogout sessionID=""> be supported? Then we can alert user and permit user to end a previous login for same user.

    Example repro:

    1) APPLICATION.loggedInUsers = [{username="john@doe.com", sessionID="first-session-ID"},{username="john@doe.com", sessionID="second-session-ID"}]
    2) <cflogout sessionID="#first-session-ID#">

    This would logout john@doe.com from first-session-ID.

    Thanks,
    -Aaron
  • 18 Aaron Neff // Oct 1, 2012 at 8:51 PM
    Hi Shilpi,

    Regarding your June 3rd comment, what is the ER#? If it is a private ticket, can it please be made a public ticket?

    Thanks!,
    -Aaron
  • 19 Shilpi Khariwal // Oct 1, 2012 at 9:59 PM
    Aaron there is a new one logged which is 3339008.
  • 20 Aaron Neff // Oct 2, 2012 at 12:54 AM
    Hi Shilpi,

    Thanks for the fast reply! I just now saw your message. I just filed #3339701 w/ a very detailed proposal. This way users are able to vote on that proposal apart from #3339008. Additionally, it permits me to track this issue better since bugbase doesn't send emails when comments are added.

    Thanks!,
    -Aaron
  • 21 John Jarrard // Feb 5, 2013 at 9:50 AM
    Hi Folks,

    So, this lack of concurrent login business is a pain... but there's a pretty easy solution to get around it:

    In the CFLOGINUSER tag, just add ",#getTickCount()#" or some other random number to the "name" attribute and they use #ListFirst(getAuthUser())# to strip out the user's actual details.

    <cflogin>
    <cfloginuser name="#arguments.username#,#getTickCount()#"
    password="#arguments.password#"
    roles="#arguments.roles#" />
    </cflogin>

    <cfoutput>
    Welcome #ListFirst(GetAuthUser())#...
    </cfoutput>

    Doing this makes CF10 think it's two different users, but alas...

    More than one way to skin a cat.
    JJ
  • 22 Aaron Neff // Feb 5, 2013 at 10:31 AM
    Hi John,

    Brilliant! Sometimes I make 'name' a list, but this idea of an additional/random element never dawned on me. Thanks for sharing. :) Of course, Adobe, this is a hack and backward-compat should be fixed.

    Thanks,
    -Aaron
  • 23 hoc tieng anh online // Sep 4, 2013 at 12:58 AM
    Oh yeah, I did. :) Couldn't find it though so refiled as 3127780

Leave a Comment

Leave this field empty:

Blue Mango Theme Design By Mark Aplet

Super Powered by Mango Blog