ColdFusion 8到ColdFusion 10迁移:CFloginUser不按预期工作 [英] ColdFusion 8 to ColdFusion 10 Migration: CFloginUser Not Working As Expected
问题描述
从CF8升级到CF10后,移动所有文件和数据库并跳过所有配置环节,新版本的网站已启动并正在运行,但身份验证/登录不起作用。
以下是环境:
旧服务器: ColdFusion Enterprise 8,0,1,195765
操作系统:Windows Vista *
操作系统版本:6.0
更新级别:.... hf801-00007.jar
IIS版本:7
< block系统信息说Windows Server 2008 Datacenter without Hyper-V)
新服务器:ColdFusion Enterprise 10,0,11,285437
Tomcat版本:7.0 .23.0
操作系统:Windows Server 2008 R2
操作系统版本:6.1
更新级别:.... chf10000011.jar
Adobe驱动程序版本:4.1(Build 0001)
IIS版本:7.5
我有一个非常标准的ColdFusion登录系统,使用 cfloginuser 在Application.cfc中。在我登录旧站点后,输出
#GetAuthUser()#
将我的用户名打印到屏幕,所有基于角色的规则都可以正常工作。
在新服务器上,输出GetAuthUser()将打印为空。
在旧站点上,
cfdump var = SESSION#
包括:cfauthorization_kllcms dXNlcm5hbWU6cGFzc3dvcmQ6YXBwX25hbWU =
在新网站上,会话的
CFDUMP
不会显示cfauthorization_kllcms
。所有其他会话值都存在于这两个实例中。
这是完全相同的代码库,数据库结构等。当然,我的基于角色的规则没有工作,依赖于对getAuthUser()和IsUserInRole(x)条件的验证。
我知道初始登录过程本身是工作,因为它正确设置会话变量与用户信息,并且可以在后续请求中使用。
任何想法可能改变了什么?
更新: Per Adam的建议(下面)我设置了2个测试应用程序,一个在旧服务器上,一个在新的。
旧服务器: http://cfloginold.cimhost.com/index.cfm
新服务器: http://cflogin.cimhost.com/index.cfm
使用test和demo982013作为用户和密码。
向注销的URL追加
?logout = true
并重新测试。这两个应用程序具有完全相同的代码,相同的数据库。我将转储会话和表单值到屏幕,以及GetAuthUser()
值。
身份验证方法与 Adobe的文档,如果需要,我可以在此处共享所有相关代码。
请注意,在新服务器中,无论您是否登录,表单都会在您每次访问页面时加载。这是示例性的
cflogin
会话没有被保留或识别,因此呈现每次访问的登录表单(虽然不是在初始表单完成,这表明cflogin是至少工作在初始登录,我想)。
更新2:
我一直在深入这个,并且我能够获得cfloginuser启动几种方式,只是不作为标准的一部分 Adobe文档化的基于应用程序的用户安全模型。
选项1:并在其中放置以下代码:
< cflogin>< cfloginuser name =directtestPassword =2519D6025B5191F754D01BE163972628roles =1>< / cflogin>
然后我指示Application.cfc允许过去
cflogin
gate。您可以将浏览器指向以下位置查看结果: http://cflogin.cimhost.com/ directlogin.cfm?bypass = true
Voila。 'cfauthorization_cicmstest'值已设置,并且用户已登录。对
GetAuthUser()
的后续调用成功。所以我知道现在CF10和应用程序确实允许cfloginuser,并且可以创建用户会话。
选项2:它是关于我的Application.cfc文件,所以我再次绕过
cflogin
门,并放置硬编码cfloginuser
snippet直接在我的Application.cfconRequestStart
函数。已登出并访问过: http://cflogin.cimhost.com/index。 cfm?bypass = true& noquery = true
同样,成功设置了
cfauthorization_cicmstest
用户已登录。
但是,如果
cfloginuser
指令在实际cflogin
进程。下面是该代码的样子:< cfquery name =loginQuerydataSource =mydatasource>
SELECT id,username,userroles
FROM myusertable
WHERE
username ='#cflogin.name#'
AND userpass ='#HASH(cflogin.password)# '
< / cfquery>
< cfif loginQuery.userroles NEQ>
< cfloginuser name =#cflogin.name#Password =#cflogin.password#roles =#loginQuery.userroles#>
< cfset MyMessage =#MyMessage#< br />登录查询触发并返回预期 - loginQuery.userroles NEQ>
< cfelse>
< CFSET MyMessage =您的登录信息无效。< a href ='index.cfm?logout = 1'>如果您的会话超时,请点击这里!< / a&
< cfinclude template =loginform.cfm>
< cfabort>
< / cfif>
我知道查询是成功的,因为我设置一个警告消息告诉我
loginquery.userroles
值不为空,这是处理cfloginuser
的条件。
我知道代码现在失败了,只是不是为什么。我试过硬编码
cfloginuser
值,它仍然失败。我不知道接下来要做什么。cfloginuser
功能工作,只是不在一个地方(在loginQuery.userroles
条件),我需要它工作。
更新3:
我的代码,我创建了2个测试网站,一个在旧的服务器,一个在新的服务器:
新服务器(CF10)= http://cf10loginadobe.cimhost.com/securitytest.cfm
旧服务器(CF8)= http://cf8loginadobe.cimhost.com/securitytest.cfm
我完全复制了基于应用程序的安全性示例中的Adobe的3个文件。我创建了一个数据库表及其模式和值。我添加了
cfdump
输出以显示正在创建的会话。
使用Bob 秘密。即使使用Adobe自己的代码,CF10上的测试也会失败。
我不知道接下来该做什么。重写应用程序以不使用
cfloginuser
不是一个选项,因为我们有十几个应用程序正在迁移到使用此认证模型的CF10,跨越数百个模板。 / p>
这有可能是IIS7.5如何处理ColdFusion请求的奇怪,但这似乎不太可能,因为成功实例化
cfloginuser $ c
ColdFusion 10基于应用程序的用户安全被破坏。
我已经部署了两个测试网站,使用 Adobe自己的基于应用程序的用户安全的示例代码,从Adobe网站完整复制。一个测试站点在ColdFusion 8中,一个是ColdFusion 10.代码和数据库在两个站点上是相同的。我添加了
cfdump
输出,以便在设置时监视会话变量和登录状态。
测试网站ColdFusion 8: http://cf8loginadobe.cimhost.com/securitytest.cfm p>
测试网站ColdFusion 10: http://cf10loginadobe.cimhost.com/securitytest.cfm
使用Bob用户和密码secret登录显示失败在CF10。最初显示登录成功,但请注意会话的
cfdump
不显示cfauthorization_orders
在CF10中的值,其中在CF8中的值是存在的。
在CF8中,登录后对同一网址的后续访问会正确保留登录用户状态,不显示登录表单。在CF10中,实际上没有为用户创建会话,因此对同一网址的后续访问会提示重新登录。
我已经彻底测试过了, code> cflogin 逻辑并强制
cfloginuser
,它在CF10中成功创建一个经过身份验证的用户,证明cfloginuser
。
看来,CF10处理Application.cfc中的
解决方法:我使用的不重要的解决方法包括重新创建OnRequestStart
函数,cfloginuser code>会话实例化在Application.cfc中的后续
OnRequest
函数中。代码如下:< cffunction name =onRequest>
< cfargument name =targetPagetype =Stringrequired = true />
< cfinclude template =#Arguments.targetPage#>
< cfif IsDefined(loginQuery)>
< cfif loginQuery.userroles NEQ>
< cflogin>< cfloginuser name =#loginQuery.username#Password =#loginQuery.userpass#roles =#loginQuery.userroles#>< / cflogin>
< / cfif>
< / cfif>
< / cffunction>
如果尝试登录
OnRequestStart
,我利用该请求的结果,检查它是否有效(loginQuery.userroles NEQ
),然后实例化验证的会话。有一个缺点,用户必须点击一个新的页面,登录选项才会出现。在请求另一个页面加载之前,不会满足GetAuthUser()
测试。
cfc没有显示此方法的任何替代方法。
After upgrading from CF8 to CF10, moving all files and databases and jumping through all the configuration hoops, the new version of the site is up and running, but the authentication/login is not working.
Here are the environments:
Old server: ColdFusion Enterprise 8,0,1,195765
Operating System: Windows Vista*
OS Version: 6.0
Update Level: .... hf801-00007.jar
IIS Version: 7
(*not sure where that "Vista" comes from? The System Information says "Windows Server 2008 Datacenter without Hyper-V")
New server: ColdFusion Enterprise 10,0,11,285437
Tomcat Version: 7.0.23.0
Operating System: Windows Server 2008 R2
OS Version: 6.1
Update Level: .... chf10000011.jar
Adobe Driver Version: 4.1 (Build 0001)
IIS Version: 7.5
I have a pretty standard ColdFusion login system, using cfloginuser in Application.cfc. After I login on the old site, outputting
#GetAuthUser()#
prints my username to screen, and all my role-based rules work.On the new server, outputting GetAuthUser() prints empty.
On the old site,
cfdump var="#SESSION#"
includes:cfauthorization_kllcms dXNlcm5hbWU6cGFzc3dvcmQ6YXBwX25hbWU=
On the new site,
CFDUMP
of session does not show acfauthorization_kllcms
value at all. All other session values exist in both instances.It is the exact same codebase, database structures, etc. Naturally, none of my role-based rules work, because they all depend on validation of getAuthUser() and IsUserInRole("x") conditionals.
I know the initial login process itself is working, because it is correctly setting session variables with user information, and they are available on subsequent requests. But none of the traditional cflogin data is available on subsequent calls.
Any ideas what might have changed?
UPDATE: Per Adam's suggestion (below) I set up 2 test apps, one on the old server, one on the new.
Old Server: http://cfloginold.cimhost.com/index.cfm
New Server: http://cflogin.cimhost.com/index.cfm
Use "test" and "demo982013" as user and password.
Append
?logout=true
to the URL to logout and re-test. These two apps have exactly the same code, same database. I am dumping session and form values to screen, along withGetAuthUser()
value.The authentication method is pretty much exactly as outlined in Adobe's documentation, and I can share all relevant code here if necessary.
Note that in the "new" server, the form loads each time you visit the page, whether you have logged in or not. This is exemplar of the fact that the
cflogin
session is not being retained or recognized, thus presenting the login form each visit (although not on initial form completion, which shows that cflogin is at least working on the initial login, I think).UPDATE 2: I've been drilling deeper into this, and I am able to get cfloginuser to fire a couple of ways, just not as part of the standard Adobe documented application-based user security model.
Option 1: I created a standalone page, and placed the following code in it:
<cflogin><cfloginuser name="directtest" Password = "2519D6025B5191F754D01BE163972628" roles="1"></cflogin>
I then instructed Application.cfc to allow this past the
cflogin
gate. You can see the results by pointing your browser to: http://cflogin.cimhost.com/directlogin.cfm?bypass=trueVoila. 'cfauthorization_cicmstest' value has been set, and user is logged in. Subsequent calls to
GetAuthUser()
are successful. So I know now that CF10 and the application do allow cfloginuser, and the user session can be created.Option 2: I then decided maybe it was something about my Application.cfc file, so I again bypassed the
cflogin
gate, and placed the hard-codedcfloginuser
snippet directly in my Application.cfconRequestStart
function. Logged out and visited: http://cflogin.cimhost.com/index.cfm?bypass=true&noquery=trueAgain,
cfauthorization_cicmstest
value was successfully set, and user is logged in.However, logging in still fails if the
cfloginuser
directive is fired within the actualcflogin
process in Application.cfc. Here is what that code looks like:<cfquery name="loginQuery" dataSource="mydatasource"> SELECT id,username, userroles FROM myusertable WHERE username = '#cflogin.name#' AND userpass = '#HASH(cflogin.password)#' </cfquery> <cfif loginQuery.userroles NEQ ""> <cfloginuser name="#cflogin.name#" Password="#cflogin.password#" roles="#loginQuery.userroles#"> <cfset MyMessage = "#MyMessage#<br />The Login Query fired and returned expected - loginQuery.userroles NEQ ''"> <cfelse> <CFSET MyMessage = "Your login information is not valid. <a href='index.cfm?logout=1'>If your session timed out, click here!</a>"> <cfinclude template="loginform.cfm"> <cfabort> </cfif>
I know that the query is successful, because I am setting an alert message that tells me the
loginquery.userroles
value was not empty, which is the condition for processingcfloginuser
.I know where the code is failing now, just not why. I've tried hard coding that
cfloginuser
value, and it still fails. I'm at a loss as to what to try next. Thecfloginuser
functionality works, just not in the one place (within theloginQuery.userroles
conditional) that I need it to work.UPDATE 3:
Just to prove to myself it wasn't my code, I created 2 more test sites, one on the old server, one on the new server:
New Server (CF10) = http://cf10loginadobe.cimhost.com/securitytest.cfm
Old Server (CF8) = http://cf8loginadobe.cimhost.com/securitytest.cfm
I copied exactly Adobe's 3 files from their Application-based security example. I created a database table with their schema and values. I added my
cfdump
outputs to show the sessions being created.Test with user of "Bob" and password of "secret". Even with Adobe's own code, the tests fail on CF10.
I'm not sure what to do next. Rewriting the application to not use
cfloginuser
is not an option, as we have more than a dozen applications we are migrating to CF10 that use this authentication model, across hundreds of templates.It's possible it's something weird about how IIS7.5 is handling ColdFusion requests, but that seems unlikely given the ability to successfully instantiate
cfloginuser
outside of the query result conditional.解决方案ColdFusion 10 Application Based User Security Is Broken
I have deployed two test sites, using Adobe's own example code for application based user security, copied in its entirety from the Adobe website. One test site is in ColdFusion 8, one is ColdFusion 10. The code and databases are identical on both sites. I added
cfdump
output to monitor session variables and login status as they are set.Test Site ColdFusion 8: http://cf8loginadobe.cimhost.com/securitytest.cfm
Test Site ColdFusion 10: http://cf10loginadobe.cimhost.com/securitytest.cfm
Logging in using a user of "Bob" and password of "secret" demonstrates the failure in CF10. Initially it appears login was successful, but note that the
cfdump
of the session does not show acfauthorization_orders
value in CF10, where in CF8 the value is present.In CF8 subsequent visits to the same URL after login correctly retain the logged in user status and do not present the login form. In CF10, no session was actually created for the user, and therefore subsequent visits to the same URL prompt for login again.
I have tested this thoroughly, including bypassing the
cflogin
logic and forcingcfloginuser
, which successfully creates an authenticated user in CF10, demonstrating thatcfloginuser
is supported.It appears to me there is something about CF10's handling of the
OnRequestStart
function in Application.cfc that creates and then immediately kills the user session.Workaround: The inelegant workaround I am using involves re-creating the
cfloginuser
session instantiation in a subsequentOnRequest
function in Application.cfc. The code is as follows:<cffunction name="onRequest"> <cfargument name = "targetPage" type="String" required=true/> <cfinclude template=#Arguments.targetPage#> <cfif IsDefined("loginQuery")> <cfif loginQuery.userroles NEQ ""> <cflogin><cfloginuser name="#loginQuery.username#" Password = "#loginQuery.userpass#" roles="#loginQuery.userroles#"></cflogin> </cfif> </cfif> </cffunction>
If there was an attempt to login in the
OnRequestStart
, I leverage the results of that request, check if it was valid (loginQuery.userroles NEQ ""
), and then instantiate the authenticated session. There is a downside in that users have to click to a new page for logged in options to appear. TheGetAuthUser()
test is not met until another page load is requested.Extensive testing of alternatives within Application.cfc did not reveal any alternative to this approach.
这篇关于ColdFusion 8到ColdFusion 10迁移:CFloginUser不按预期工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!