New & Improved CFLogin

With ColdFusion 10 CFlogin is improved and more secure. The Authorization associated with cflogin for loginstorage"cookie" is much secure.

The Authorization cookie, 

·         Is set to have a short time to live.

·         Now it expires by default on browser close and this can be configured using cookie settings discussed before.

·         It is by-default set to be on HttpOnly for CF admin console. For other applications, there is provision to configure

—There are however some behavioral changes –

·         Now only one active session can be open for one user for given application that uses <cflogin>

o   Example: Administrator console now can be accessed by one user at a time with a given set of UserID and password.

o    Note: for “cacheManagerPeerListenerFactory” port should be unique for each node in cluster.


Sample auth-ehcache.xml with distributed caching enabled usingRMI replication -

·         On clustered environment, if sticky session is not enabled, cflogin will does persist. On each request there is a need for login again. To fix this –

o   Distributed caching should be enabled for authcache in <cf-home>/lib/auth-ehcache.xml

·         Cache replication should be enabled for the nodes of cluster.

·         To enable long lived logins or remember me type of functionality-

o   Increase authcookie.timeout to a big enough number in Application.cfc/cfm

o   Make the cache persistent by updating configuration in auth-ehcache.xml

Note: Elements in this cache have an idle timeout same as session timeout specified at Application level or at server level.

For information on ehcache configurations can be found here 

Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile