With
ColdFusion 10 CFlogin is improved and more secure. The Authorization associated
with cflogin for loginstorage"cookie" is much secure.
The
Authorization cookie,
·
Is set to have a short time to live.
·
Now it expires by default on browser close
and this can be configured using cookie settings discussed before.
·
It is by-default set to be on HttpOnly for CF
admin console. For other applications, there is provision to configure
There
are however some behavioral changes –
·
Now only one active session can be open for
one user for given application that uses <cflogin>
o Example:
Administrator console now can be accessed by one user at a time with a given
set of UserID and password.
o Note:
for “cacheManagerPeerListenerFactory” port should be unique for each node in
cluster.
Sample auth-ehcache.xml with distributed caching enabled usingRMI replication -
Sample auth-ehcache.xml with distributed caching enabled usingRMI replication -
·
On clustered environment, if sticky session
is not enabled, cflogin will does persist. On each request there is a need for
login again. To fix this –
o Distributed
caching should be enabled for authcache in <cf-home>/lib/auth-ehcache.xml
·
Cache replication should be enabled for the
nodes of cluster.
·
To enable long lived logins or remember me
type of functionality-
o Increase
authcookie.timeout to a big enough number in Application.cfc/cfm
o Make
the cache persistent by updating configuration in auth-ehcache.xml
Note:
Elements in this cache have an idle timeout same as session timeout specified
at Application level or at server level.
For
information on ehcache configurations can be found here
Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile
Unfortunately I have found that you change to make cflogin us ehcache has caused a regression/bug in CF10.
ReplyDeleteEhcache is normally supposed to be singleton class, but the way you have implemented it you are loading the default ehcache.xml first, then creating a new instance with auth-ehcache.xml. This is making the AuthCacheManager cache configuration the default, now any custom settings / custom caches in ehcache.xml are ignored. Even worse when CF automatically adds default TEMPLATE and OBJECT caches they are going in the auth-ehcache cache manager. Even programmatic caches with CacheRegionNew() are going into the "auth" cacheManager.
Here is the code to prove it:
#createObject("java", "net.sf.ehcache.CacheManager").getInstance().getName()#
This will show the default cache is "AuthCacheManager" and then do:
To see that the "authcache" is mixed with TEMPLATE and OBJECT.
Please email me back if you get this fixed.
Jordan
Hi Jordan,
ReplyDeleteThis is not listing default cache as "AuthCacheManager". There is no such cache from ColdFusion.
Ehcache's CacheManager runs in 2 modes -
1. singlton
2. Singlon per named configuration.
In case you have some PoC of the same, do share. also please mention if you have upgraded ehcache for your server.
Hope this helps.
Shilpi
Hi Jordan,
ReplyDeleteIs this related to your issue? https://bugbase.adobe.com/index.cfm?event=bug&id=3339491
Thanks,
-Aaron
ignoring best practices is there a way to override this new characteristic???
ReplyDelete"only one active session can be open for one user for given application that uses "
Hi Chad,
DeleteCurrently there is no way to override this behavior. One can however create multiple users for parallel active logged in sessions for a given application.
Thanks,
Shilpi