coldfusionJedi

<cfapplication name="goobercflogin" sessionManagement="true">

<cflogin>
	<cfloginuser name="ray2" password="ray" roles="admin">
</cflogin>
<cfoutput>#getAuthUser()#</cfoutput>

<cfif isUserInRole("admin")>
<p>
yes, admin role
</p>
</cfif>

<cfapplication name="goobercflogin2" sessionManagement="true" loginStorage="session">

<cflogin>
	<cfloginuser name="ray2" password="ray" roles="admin">
</cflogin>


<cfoutput>#getAuthUser()#</cfoutput>

<cfif isUserInRole("admin")>
<p>
yes, admin role
</p>
</cfif>

This entry was posted on Monday, November 27, 2006 at 4:50 PM. It was filed in the following categories: ColdFusion. It has been viewed 6,154 times and has 13 comments.

TweetBacks

Comments

[Add Comment] [Subscribe to Comments]

• Comment 1 written by Mark Fuqua on 27 November 2006, at 6:01 PM

  

  How are the roles stored in the first example?

• Comment 2 written by Joe Rinehart on 27 November 2006, at 7:35 PM

  

  Hey Ray,
  
  I've been dealing with this problem in Web Services for a while...the solution I used works well in Flex. I blogged it here:
  
  http://www.firemoss.com/blog/index.cfm?mode=entry&...

• Comment 3 written by Raymond Camden on 27 November 2006, at 8:59 PM

  

  Mark - a cookie.

• Comment 4 written by Meep on 28 November 2006, at 9:16 AM

  

  my coworker/boss have all used CF a lot longer than me (since version 2 whereas I started with 6 and slightly the end of 5). They all swear by custom login and security models vs cflogin. Most times they cite previous vulnerabilities and shortcomings of cflogin and the like.
  
  Just curious to everyone heres opinion on the matter since as I said I don't have a long CF background so I feel like its hard to discern things in the environment I'm in.

• Comment 5 written by Raymond Camden on 28 November 2006, at 9:56 AM

  

  Meep, listen to your coworkers. They are exactly right. I still use cflogin in all my apps - I just haven't had a chance to rip them out yet.

• Comment 6 written by TJ Downes on 28 November 2006, at 11:01 AM

  

  I've typically been a fan of cflogin because of it's ease of use. I have been using CF since 2.0 but did not start using CFLOGIN until about a year ago. Once I discovered how easy it was I was enthusiastic.
  
  Unfortunately over the last few months I discovered a couple of things which have changed my mind about CFLOGIN.
  
  First and foremost, CFLOGIN runs on every request. In a high-traffic environment this could cost you significanty.
  
  Secondly, there is a bug in Flash player that prevents file uploads from happening in Firefox (PC and Mac) and Safari when using CFFORM when the format is Flash. Technically this is an issue with Flash, not CFLOGIN. However, by avoiding the use of CFLOGIN altogether, I would not have encountered this issue. Now I am in a position of redesigning my entire security schema for a particular app because the majority of users using my tools are FF or Safari users.
  
  My advice: skip CFLOGIN.

• Comment 7 written by Sami Hoda on 28 November 2006, at 1:43 PM

  

  Ray,
  
  Maybe you and I can tag team on this one as an Enhancement Request/Bug entry for Scorpio. They seem to listen when more than one person complains. What do you think? I'd like to cflogin fixed rather than rip it out of my code as well.
  
  Sami

• Comment 8 written by James Edmunds on 29 November 2006, at 8:28 AM

  

  I fall into the camp of wishing CFLOGIN fixed rather than abandoned -- although this may prove nothing more than that I am lazy.

• Comment 9 written by Chris on 31 January 2008, at 9:30 AM

  

  Not terribly useful. How does cflogin know which table in your db to use for authentication? I can't believe the CF docs leave out this important detail...

• Comment 10 written by Raymond Camden on 31 January 2008, at 9:37 AM

  

  Um, it doesn't. CFLOGIN does not hit a database. CFLOGIN simply helps manage your login status. You may want to authenticate people against LDAP. You may want to authenticate people again values in a text file. Whatever. CFLOGIN leaves that up to you.

• Comment 11 written by Scott on 8 July 2008, at 4:42 PM

  

  I think the loginStorage="session" won't work because from what I understand session variables do not exist in Flex.

• Comment 12 written by Adam Bellas on 5 January 2009, at 9:35 PM

  

  I know CFLOGIN can be a royal pain, however I can't ignore the roles attribute on CFFUNCTION and how nice that wraps up all my API's into a ColdFusion security layer.
  
  We tried inventing a roll-you-own system to handle AJAX security and it's just not as easy and fast as the built in stuff. If you can stomach the CFLOGIN roller-coaster of woe, that is.

• Comment 13 written by Reinhard Jung on 17 November 2009, at 6:26 PM

  

  Thanx for the BlogEntry!

[Add Comment] [Subscribe to Comments]