Login for more options
Change in behavior CF9 to CF10 in user authentication associated with session
An application that allows a user to login from multiple locations no longer works in ColdFusion 10. It seems that there is now a strict one-to-one relationship between a username and session. When userZ performs login from computerA, all the roles are stored correctly. If userZ performs login from computerB, all the roles are stored correctly. However, the authenticated session on computerA is no longer valid.
Steps to Reproduce:
Attached is a simple test case to show the problem. The same CFML application will allow simultaneous user sessions in ColdFusion 9; it will forbid concurrent authenticated users in ColdFusion 10.
My Hardware and Environment details:
I tried this in both ColdFusion 10 32-bit and ColdFusion 10 64-bit, both running in Tomcat containers. I compared this against a stock ColdFusion 9 multi-server installation in JRun.
|Found In Build||Final|
|Fixed In Build||284805|
3:56:42 PM GMT+00:00 May 10, 2013
Backwards compatibility issue. Nice feature to have if it's desired. Please make this an optional setting.
10:42:00 AM GMT+00:00 Mar 31, 2013
Please fix this. By default the cflocation tag appends CFIDE and CFTOKEN parameters which our users save into their bookmarks. Because ColdFusion isn't always smart enough to ignore those tokens when it should, the new system of only allowing a single login effectively logs our users out of their existing session when they access a bookmark. This is a MAJOR feature change and should've been announced somewhere. And it's a feature change for the worse. Please revert.
12:07:36 PM GMT+00:00 Dec 14, 2012
Our company has also been negatively impacted by this in our upgrade from CF8 to CF10. Please get a working remedy in place!
2:18:49 AM GMT+00:00 Oct 16, 2012
I vote for the behaviour to revert to that of ColdFusion 9. If the user cannot use 2 identical login credentials at the same time, then he wont be able to open distinct parts of a ColdFusion application on 2 separate machines. However, this is a use-case that occurs frequently.
7:32:18 PM GMT+00:00 Oct 15, 2012
I recently installed Coldfusion 10.When i login from first ie browser it logs me in and when i try to login from another ie browser it is throwing me out that there is active session which doesnt happen in CF9.I noticed that CFTOKEN is not genearating new token when i try login from second browser
5:50:33 AM GMT+00:00 Oct 8, 2012
Adobe used to boast that code written for CF4 would still run, and that backwards compatibility has always been the gold standard - it's why we can't fix array/struct loop constructions using index when they mean item apparently.
So this should be rolled back or changed to be off by default,
3:47:00 PM GMT+00:00 Oct 3, 2012
Vote must be between 25 and 4000 characters.. who cares.
6:10:08 PM GMT+00:00 Oct 2, 2012
It's as if you're pulling for your own platform to fail by bringing it back into the stone age. Fix this.
1:49:55 PM GMT+00:00 Oct 2, 2012
We use multiple and concurrent logins to test applications via server side. Restricting it to one single login just doesn't make any sense, yes?
12:19:35 AM GMT+00:00 Oct 2, 2012
+1, a large number of popular sites (including Facebook.com, Adobe.com, Wikipedia.org, etc) support concurrent logins. This feature is a must in today's multi-monitor, multi-device world.
11:09:57 PM GMT+00:00 Oct 1, 2012
+1. According to Shilpi on Twitter this is by design, but it's a major backwards compat issue. Needs to be modified so this behaviour is a) optional; b) off by default; c) not controlled at JVM level.
10:56:32 AM GMT+00:00 Sep 29, 2012
This is a major issue. I didn't see this change noted anywhere in CF10's documentation.