In CF10, my login was not working properly as it was in CF9.
Session variables I set were 'unset' every time a new page was called, as well as the GetAuthUser.
To troubleshoot the problem, I found some unexpected behavioral change from CF9.
In case it's pertinent, I am using ORM.
In my application.cfc, I had:
| this.sessionManagement | = "true"; | |||||
| this.sessionTimeout | = CreateTimeSpan(0,0,30,0); | |||||
| this.loginStorage | = "Session"; | |||||
| this.setClientCookies | = false; |
In the onSessionStart function, I had:
| <cfset Session.isLoggedIn | = 0/> | |||||
| <cfset Session.username | = ""/> | |||||
| <cfset Session.email | = ""/> | |||||
| <cfset Session.termsAccept | = 0/> |
In the onRequestStart function, I had:
<cfif Session.isLoggedIn eq 0>
<cfif FindNoCase("Login",requestedPage) eq 0 and FindNoCase("Index",requestedPage) eq 0>
<cfinclude template="userInterface/session/login/Login-V.cfm">
</cfif>
</cfif>
Even after a valid login, I always got the login page.
Dumping the Session variables, they were always set to Application.cfc values at the beginning, and always set to the correct values from Login at the end.
Login-V.cfm posts to Login-CM.cfm, which after validating the user credentials has the code:
<cflock scope="Session" timeout="20" type="Exclusive">
<cfset Session.isLoggedIn = 1/>
<cfset Session.username = "#appUserObj.getUsername()#"/>
<cfset Session.email = "#appUserObj.getEmail()#"/>
<cfset Session.termsAccept = "#appUserObj.getTermsAccept()#"/>
</cflock>
<cflogin>
<cfloginuser name = "#appUserObj.getUsername()#"
password = "#appUserObj.getPassword()#"
roles= "#appUserObj.getUserAccessData().getRoles()#"/>
</cflogin>
So, I changed onRequestStart to just dump the session variables.
Going into the Login-V.cfm initially, the onRequestStart dump gave me this:
| [empty string] | |
| isloggedin | 0 |
| sessionid | SPNEW2_3477_95978872 |
| termsaccept | 0 |
| username | [empty string] |
After a successful post to Login-CM.cfm, setting session variables and cfloginuser,
a session dump gave me this:
| testing@meltech.com | |
| isloggedin | 1 |
| sessionid | SPNEW2_3477_95978872 |
| termsaccept | 1 |
| username | testing |
and getAuthUser() = testing
I do a cflocation to userInerface/portal/Portal-V.cfm
Going into that, the onRequestStart dump gave me this:
| [empty string] | |
| isloggedin | 0 |
| sessionid | SPNEW2_3479_18042427 |
| termsaccept | 0 |
| username | [empty string] |
A completely different session!
I finally was able to work around the problem by changing the Application.cfc to
| this.loginStorage | = "cookie"; |
Sessions were maintained.
What's up with this? I don't recall seeing anything in the CF10 security release notes about sessions changing with request pages when you use session for login storage?
This is problematic for me, as I don't want to use cookies!
Any ideas?
Edited -
Also, the onSessionStart where I increment the sessions appears to be Request Based, rather than session based
onSessionStart also has
<cflock scope="Application" throwontimeout="yes" timeout="7" type="Exclusive">
<cfset Application.currentsessions = Application.currentsessions + 1>
</cflock>
So, I start with currentsessions = 0 (new application start)
After the login-V,login-CM and portal-V, I have currentsessions = 3 instead of 1.
I am completely confused now as to when these events are firing