Tuesday, February 28, 2012

New & Improved CFLogin

With ColdFusion 10 CFlogin is improved and more secure. The Authorization associated with cflogin for loginstorage"cookie" is much secure.

The Authorization cookie, 
·         Is set to have a short time to live.
·         Now it expires by default on browser close and this can be configured using cookie settings discussed before.
·         It is by-default set to be on HttpOnly for CF admin console. For other applications, there is provision to configure
—There are however some behavioral changes –

·         Now only one active session can be open for one user for given application that uses <cflogin>
o   Example: Administrator console now can be accessed by one user at a time with a given set of UserID and password.
o    Note: for “cacheManagerPeerListenerFactory” port should be unique for each node in cluster.

Sample auth-ehcache.xml with distributed caching enabled usingRMI replication -

·         On clustered environment, if sticky session is not enabled, cflogin will does persist. On each request there is a need for login again. To fix this –
o   Distributed caching should be enabled for authcache in <cf-home>/lib/auth-ehcache.xml
·         Cache replication should be enabled for the nodes of cluster.
·         To enable long lived logins or remember me type of functionality-
o   Increase authcookie.timeout to a big enough number in Application.cfc/cfm
o   Make the cache persistent by updating configuration in auth-ehcache.xml

Note: Elements in this cache have an idle timeout same as session timeout specified at Application level or at server level.

For information on ehcache configurations can be found here 

Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile


  1. Unfortunately I have found that you change to make cflogin us ehcache has caused a regression/bug in CF10.

    Ehcache is normally supposed to be singleton class, but the way you have implemented it you are loading the default ehcache.xml first, then creating a new instance with auth-ehcache.xml. This is making the AuthCacheManager cache configuration the default, now any custom settings / custom caches in ehcache.xml are ignored. Even worse when CF automatically adds default TEMPLATE and OBJECT caches they are going in the auth-ehcache cache manager. Even programmatic caches with CacheRegionNew() are going into the "auth" cacheManager.

    Here is the code to prove it:

    #createObject("java", "net.sf.ehcache.CacheManager").getInstance().getName()#

    This will show the default cache is "AuthCacheManager" and then do:

    To see that the "authcache" is mixed with TEMPLATE and OBJECT.

    Please email me back if you get this fixed.


  2. Hi Jordan,

    This is not listing default cache as "AuthCacheManager". There is no such cache from ColdFusion.

    Ehcache's CacheManager runs in 2 modes -
    1. singlton
    2. Singlon per named configuration.

    In case you have some PoC of the same, do share. also please mention if you have upgraded ehcache for your server.

    Hope this helps.


  3. Hi Jordan,

    Is this related to your issue? https://bugbase.adobe.com/index.cfm?event=bug&id=3339491


  4. ignoring best practices is there a way to override this new characteristic???

    "only one active session can be open for one user for given application that uses "

    1. Hi Chad,

      Currently there is no way to override this behavior. One can however create multiple users for parallel active logged in sessions for a given application.



You can subscribe to the comments by licking on "Subscribe by email".