ColdFusion 8到ColdFusion 10迁移：CFloginUser不按预期工作 [英] ColdFusion 8 to ColdFusion 10 Migration: CFloginUser Not Working As Expected

问题描述

从CF8升级到CF10后，移动所有文件和数据库并跳过所有配置环节，新版本的网站已启动并正在运行，但身份验证/登录不起作用。

以下是环境：

旧服务器： ColdFusion Enterprise 8,0,1,195765

操作系统：Windows Vista *

操作系统版本：6.0

更新级别：.... hf801-00007.jar

IIS版本：7

< block系统信息说Windows Server 2008 Datacenter without Hyper-V）

新服务器：ColdFusion Enterprise 10,0,11,285437

Tomcat版本：7.0 .23.0

操作系统：Windows Server 2008 R2

操作系统版本：6.1

更新级别：.... chf10000011.jar

Adob​​e驱动程序版本：4.1（Build 0001）

IIS版本：7.5

我有一个非常标准的ColdFusion登录系统，使用 cfloginuser 在Application.cfc中。在我登录旧站点后，输出 #GetAuthUser（）＃将我的用户名打印到屏幕，所有基于角色的规则都可以正常工作。

在新服务器上，输出GetAuthUser（）将打印为空。

在旧站点上， cfdump var = SESSION＃包括：

  cfauthorization_kllcms dXNlcm5hbWU6cGFzc3dvcmQ6YXBwX25hbWU = 
  

在新网站上，会话的 CFDUMP 不会显示 cfauthorization_kllcms 。所有其他会话值都存在于这两个实例中。

这是完全相同的代码库，数据库结构等。当然，我的基于角色的规则没有工作，依赖于对getAuthUser（）和IsUserInRole（x）条件的验证。

我知道初始登录过程本身是工作，因为它正确设置会话变量与用户信息，并且可以在后续请求中使用。

任何想法可能改变了什么？

更新： Per Adam的建议（下面）我设置了2个测试应用程序，一个在旧服务器上，一个在新的。

旧服务器： http://cfloginold.cimhost.com/index.cfm

新服务器： http://cflogin.cimhost.com/index.cfm

使用test和demo982013​​作为用户和密码。

向注销的URL追加？logout = true 并重新测试。这两个应用程序具有完全相同的代码，相同的数据库。我将转储会话和表单值到屏幕，以及 GetAuthUser（）值。

身份验证方法与 Adob​​e的文档，如果需要，我可以在此处共享所有相关代码。

请注意，在新服务器中，无论您是否登录，表单都会在您每次访问页面时加载。这是示例性的 cflogin 会话没有被保留或识别，因此呈现每次访问的登录表单（虽然不是在初始表单完成，这表明cflogin是至少工作在初始登录，我想）。

更新2：
我一直在深入这个，并且我能够获得cfloginuser启动几种方式，只是不作为标准的一部分 Adob​​e文档化的基于应用程序的用户安全模型。

选项1：并在其中放置以下代码：

 < cflogin>< cfloginuser name =directtestPassword =2519D6025B5191F754D01BE163972628roles =1>< / cflogin> 
  

然后我指示Application.cfc允许过去 cflogin gate。您可以将浏览器指向以下位置查看结果： http://cflogin.cimhost.com/ directlogin.cfm？bypass = true

Voila。 'cfauthorization_cicmstest'值已设置，并且用户已登录。对 GetAuthUser（）的后续调用成功。所以我知道现在CF10和应用程序确实允许cfloginuser，并且可以创建用户会话。

选项2：它是关于我的Application.cfc文件，所以我再次绕过 cflogin 门，并放置硬编码 cfloginuser snippet直接在我的Application.cfc onRequestStart 函数。已登出并访问过： http://cflogin.cimhost.com/index。 cfm？bypass = true& noquery = true

同样，成功设置了 cfauthorization_cicmstest 用户已登录。

但是，如果 cfloginuser 指令在实际 cflogin 进程。下面是该代码的样子：

 < cfquery name =loginQuerydataSource =mydatasource> 
 SELECT id，username，userroles 
 FROM myusertable 
 WHERE 
 username ='＃cflogin.name＃'
 AND userpass ='#HASH（cflogin.password）＃ '
< / cfquery> 
< cfif loginQuery.userroles NEQ> 
< cfloginuser name =＃cflogin.name＃Password =＃cflogin.password＃roles =＃loginQuery.userroles＃> 
< cfset MyMessage =＃MyMessage＃< br />登录查询触发并返回预期 -  loginQuery.userroles NEQ> 
 
< cfelse> 
< CFSET MyMessage =您的登录信息无效。< a href ='index.cfm？logout = 1'>如果您的会话超时，请点击这里！< / a& 
< cfinclude template =loginform.cfm> 
< cfabort> 
< / cfif> 
  

我知道查询是成功的，因为我设置一个警告消息告诉我 loginquery.userroles 值不为空，这是处理 cfloginuser 的条件。

我知道代码现在失败了，只是不是为什么。我试过硬编码 cfloginuser 值，它仍然失败。我不知道接下来要做什么。 cfloginuser 功能工作，只是不在一个地方（在 loginQuery.userroles 条件），我需要它工作。

更新3：

我的代码，我创建了2个测试网站，一个在旧的服务器，一个在新的服务器：

新服务器（CF10）= http://cf10loginadobe.cimhost.com/securitytest.cfm

旧服务器（CF8）= http://cf8loginadobe.cimhost.com/securitytest.cfm

我完全复制了基于应用程序的安全性示例中的Adobe的3个文件。我创建了一个数据库表及其模式和值。我添加了 cfdump 输出以显示正在创建的会话。

使用Bob 秘密。即使使用Adobe自己的代码，CF10上的测试也会失败。

我不知道接下来该做什么。重写应用程序以不使用 cfloginuser 不是一个选项，因为我们有十几个应用程序正在迁移到使用此认证模型的CF10，跨越数百个模板。 / p>

这有可能是IIS7.5如何处理ColdFusion请求的奇怪，但这似乎不太可能，因为成功实例化 cfloginuser ColdFusion 10基于应用程序的用户安全被破坏。

我已经部署了两个测试网站，使用 Adob​​e自己的基于应用程序的用户安全的示例代码，从Adobe网站完整复制。一个测试站点在ColdFusion 8中，一个是ColdFusion 10.代码和数据库在两个站点上是相同的。我添加了 cfdump 输出，以便在设置时监视会话变量和登录状态。

测试网站ColdFusion 8： http://cf8loginadobe.cimhost.com/securitytest.cfm p>

测试网站ColdFusion 10： http://cf10loginadobe.cimhost.com/securitytest.cfm

使用Bob用户和密码secret登录显示失败在CF10。最初显示登录成功，但请注意会话的 cfdump 不显示 cfauthorization_orders 在CF10中的值，其中在CF8中的值是存在的。

在CF8中，登录后对同一网址的后续访问会正确保留登录用户状态，不显示登录表单。在CF10中，实际上没有为用户创建会话，因此对同一网址的后续访问会提示重新登录。

我已经彻底测试过了， code> cflogin 逻辑并强制 cfloginuser ，它在CF10中成功创建一个经过身份验证的用户，证明 cfloginuser 。

看来，CF10处理Application.cfc中的 OnRequestStart 函数，

解决方法：我使用的不重要的解决方法包括重新创建 cfloginuser code>会话实例化在Application.cfc中的后续 OnRequest 函数中。代码如下：

 < cffunction name =onRequest> 
< cfargument name =targetPagetype =Stringrequired = true /> 
< cfinclude template =＃Arguments.targetPage＃> 
 
< cfif IsDefined（loginQuery）> 
< cfif loginQuery.userroles NEQ> 
< cflogin>< cfloginuser name =＃loginQuery.username＃Password =＃loginQuery.userpass＃roles =＃loginQuery.userroles＃>< / cflogin> 
< / cfif> 
< / cfif> 
 
< / cffunction> 
  

如果尝试登录 OnRequestStart ，我利用该请求的结果，检查它是否有效（ loginQuery.userroles NEQ），然后实例化验证的会话。有一个缺点，用户必须点击一个新的页面，登录选项才会出现。在请求另一个页面加载之前，不会满足 GetAuthUser（）测试。

cfc没有显示此方法的任何替代方法。

After upgrading from CF8 to CF10, moving all files and databases and jumping through all the configuration hoops, the new version of the site is up and running, but the authentication/login is not working.

Here are the environments:

Old server: ColdFusion Enterprise 8,0,1,195765

Operating System: Windows Vista*

OS Version: 6.0

Update Level: .... hf801-00007.jar

IIS Version: 7

(*not sure where that "Vista" comes from? The System Information says "Windows Server 2008 Datacenter without Hyper-V")

New server: ColdFusion Enterprise 10,0,11,285437

Tomcat Version: 7.0.23.0

Operating System: Windows Server 2008 R2

OS Version: 6.1

Update Level: .... chf10000011.jar

Adobe Driver Version: 4.1 (Build 0001)

IIS Version: 7.5

I have a pretty standard ColdFusion login system, using cfloginuser in Application.cfc. After I login on the old site, outputting #GetAuthUser()# prints my username to screen, and all my role-based rules work.

On the new server, outputting GetAuthUser() prints empty.

On the old site, cfdump var="#SESSION#" includes:

cfauthorization_kllcms dXNlcm5hbWU6cGFzc3dvcmQ6YXBwX25hbWU= 

On the new site, CFDUMP of session does not show a cfauthorization_kllcms value at all. All other session values exist in both instances.

It is the exact same codebase, database structures, etc. Naturally, none of my role-based rules work, because they all depend on validation of getAuthUser() and IsUserInRole("x") conditionals.

I know the initial login process itself is working, because it is correctly setting session variables with user information, and they are available on subsequent requests. But none of the traditional cflogin data is available on subsequent calls.

Any ideas what might have changed?

UPDATE: Per Adam's suggestion (below) I set up 2 test apps, one on the old server, one on the new.

Old Server: http://cfloginold.cimhost.com/index.cfm

New Server: http://cflogin.cimhost.com/index.cfm

Use "test" and "demo982013" as user and password.

Append ?logout=true to the URL to logout and re-test. These two apps have exactly the same code, same database. I am dumping session and form values to screen, along with GetAuthUser() value.

The authentication method is pretty much exactly as outlined in Adobe's documentation, and I can share all relevant code here if necessary.

Note that in the "new" server, the form loads each time you visit the page, whether you have logged in or not. This is exemplar of the fact that the cflogin session is not being retained or recognized, thus presenting the login form each visit (although not on initial form completion, which shows that cflogin is at least working on the initial login, I think).

UPDATE 2: I've been drilling deeper into this, and I am able to get cfloginuser to fire a couple of ways, just not as part of the standard Adobe documented application-based user security model.

Option 1: I created a standalone page, and placed the following code in it:

<cflogin><cfloginuser name="directtest" Password = "2519D6025B5191F754D01BE163972628" roles="1"></cflogin>

I then instructed Application.cfc to allow this past the cflogin gate. You can see the results by pointing your browser to: http://cflogin.cimhost.com/directlogin.cfm?bypass=true

Voila. 'cfauthorization_cicmstest' value has been set, and user is logged in. Subsequent calls to GetAuthUser() are successful. So I know now that CF10 and the application do allow cfloginuser, and the user session can be created.

Option 2: I then decided maybe it was something about my Application.cfc file, so I again bypassed the cflogin gate, and placed the hard-coded cfloginuser snippet directly in my Application.cfc onRequestStart function. Logged out and visited: http://cflogin.cimhost.com/index.cfm?bypass=true&noquery=true

Again, cfauthorization_cicmstest value was successfully set, and user is logged in.

However, logging in still fails if the cfloginuser directive is fired within the actual cflogin process in Application.cfc. Here is what that code looks like:

        <cfquery name="loginQuery" dataSource="mydatasource">
        SELECT id,username, userroles
        FROM myusertable
        WHERE
           username = '#cflogin.name#'
           AND userpass = '#HASH(cflogin.password)#'
        </cfquery>
        <cfif loginQuery.userroles NEQ "">
           <cfloginuser name="#cflogin.name#" Password="#cflogin.password#" roles="#loginQuery.userroles#">
           <cfset MyMessage = "#MyMessage#<br />The Login Query fired and returned expected - loginQuery.userroles NEQ ''">

        <cfelse>
           <CFSET MyMessage = "Your login information is not valid. <a href='index.cfm?logout=1'>If your session timed out, click here!</a>">   
           <cfinclude template="loginform.cfm">
           <cfabort>
        </cfif>

I know that the query is successful, because I am setting an alert message that tells me the loginquery.userroles value was not empty, which is the condition for processing cfloginuser.

I know where the code is failing now, just not why. I've tried hard coding that cfloginuser value, and it still fails. I'm at a loss as to what to try next. The cfloginuser functionality works, just not in the one place (within the loginQuery.userroles conditional) that I need it to work.

UPDATE 3:

Just to prove to myself it wasn't my code, I created 2 more test sites, one on the old server, one on the new server:

New Server (CF10) = http://cf10loginadobe.cimhost.com/securitytest.cfm

Old Server (CF8) = http://cf8loginadobe.cimhost.com/securitytest.cfm

I copied exactly Adobe's 3 files from their Application-based security example. I created a database table with their schema and values. I added my cfdump outputs to show the sessions being created.

Test with user of "Bob" and password of "secret". Even with Adobe's own code, the tests fail on CF10.

I'm not sure what to do next. Rewriting the application to not use cfloginuser is not an option, as we have more than a dozen applications we are migrating to CF10 that use this authentication model, across hundreds of templates.

It's possible it's something weird about how IIS7.5 is handling ColdFusion requests, but that seems unlikely given the ability to successfully instantiate cfloginuser outside of the query result conditional.

解决方案

ColdFusion 10 Application Based User Security Is Broken

I have deployed two test sites, using Adobe's own example code for application based user security, copied in its entirety from the Adobe website. One test site is in ColdFusion 8, one is ColdFusion 10. The code and databases are identical on both sites. I added cfdump output to monitor session variables and login status as they are set.

Test Site ColdFusion 8: http://cf8loginadobe.cimhost.com/securitytest.cfm

Test Site ColdFusion 10: http://cf10loginadobe.cimhost.com/securitytest.cfm

Logging in using a user of "Bob" and password of "secret" demonstrates the failure in CF10. Initially it appears login was successful, but note that the cfdump of the session does not show a cfauthorization_orders value in CF10, where in CF8 the value is present.

In CF8 subsequent visits to the same URL after login correctly retain the logged in user status and do not present the login form. In CF10, no session was actually created for the user, and therefore subsequent visits to the same URL prompt for login again.

I have tested this thoroughly, including bypassing the cflogin logic and forcing cfloginuser, which successfully creates an authenticated user in CF10, demonstrating that cfloginuser is supported.

It appears to me there is something about CF10's handling of the OnRequestStart function in Application.cfc that creates and then immediately kills the user session.

Workaround: The inelegant workaround I am using involves re-creating the cfloginuser session instantiation in a subsequent OnRequest function in Application.cfc. The code is as follows:

<cffunction name="onRequest">
<cfargument name = "targetPage" type="String" required=true/>
<cfinclude template=#Arguments.targetPage#>

<cfif IsDefined("loginQuery")>
  <cfif loginQuery.userroles NEQ "">
    <cflogin><cfloginuser name="#loginQuery.username#" Password = "#loginQuery.userpass#" roles="#loginQuery.userroles#"></cflogin>
  </cfif>
</cfif>

</cffunction>

If there was an attempt to login in the OnRequestStart, I leverage the results of that request, check if it was valid (loginQuery.userroles NEQ ""), and then instantiate the authenticated session. There is a downside in that users have to click to a new page for logged in options to appear. The GetAuthUser() test is not met until another page load is requested.

Extensive testing of alternatives within Application.cfc did not reveal any alternative to this approach.

这篇关于ColdFusion 8到ColdFusion 10迁移：CFloginUser不按预期工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！