ColdFusion 10.0  -  Feature 3339008

Created on Friday, September 28, 2012

Login for more options

Title

Change in behavior CF9 to CF10 in user authentication associated with session

Description

Problem Description:
An application that allows a user to login from multiple locations no longer works in ColdFusion 10. It seems that there is now a strict one-to-one relationship between a username and session. When userZ performs login from computerA, all the roles are stored correctly. If userZ performs login from computerB, all the roles are stored correctly. However, the authenticated session on computerA is no longer valid.

Steps to Reproduce:
Attached is a simple test case to show the problem. The same CFML application will allow simultaneous user sessions in ColdFusion 9; it will forbid concurrent authenticated users in ColdFusion 10.

Actual Result:

Expected Result:

Any Workarounds:

Test Configuration

My Hardware and Environment details:
I tried this in both ColdFusion 10 32-bit and ColdFusion 10 64-bit, both running in Tomcat containers. I compared this against a stock ColdFusion 9 multi-server installation in JRun.

App Language(s) English
OS Language(s) English
Platform(s) Win All
Browser(s) Browsers All

Notes (8)

  • itisdesign

    10:40:14 AM GMT+00:00 Feb 5, 2013

    For a non-JVM workaround, please see John Jarrard's post here: http://blogs.coldfusion.com/post.cfm/new-improved-cflogin

    Direct link: http://blogs.coldfusion.com/post.cfm/new-improved-cflogin#comment-B2D1646B-AD5C-C533-9FE6A522771C9AF5

    Of course, backward-compat is broken and still needs _properly_ fixed.

    Thanks,
    -Aaron

  • BKBK

    3:16:09 AM GMT+00:00 Nov 2, 2012

    The Java flag Hemant Khandelwal suggested doesn't seem to make any difference. I am on 64 bit Win 7 and CF10. I used IE9 and Firefox 16 to test.

    When I logged in in Firefox, the session I had created in IE using the same credentials was terminated. I went back to IE and logged in, again using the same credentials. That terminated the session in Firefox. This happened with or without the Java flag. Restarting the server didn't help.

  • itisdesign

    12:21:03 AM GMT+00:00 Oct 2, 2012

    These sites support concurrent logins:

    - yahoo.com
    - facebook.com
    - google.com
    - aol.com
    - msn.com
    - ebay.com
    - live.com
    - twitter.com
    - amazon.com
    - wikipedia.org
    - youtube.com
    - adobe.com
    - myspace.com

  • itisdesign

    12:16:50 AM GMT+00:00 Oct 2, 2012

    @JosephLamoree, thanks very much for logging this!

    @Sami, I recall we discussed concurrent logins before. Additionally, I've added comments on Shilpi's cflogin blog entry: http://blogs.coldfusion.com/post.cfm/new-improved-cflogin. I've also logged ER #3339701 detailing my idea for a "a happy middle path" :)

    Thanks,
    -Aaron

  • JosephLamoree

    12:47:19 PM GMT+00:00 Oct 1, 2012

    Setting the coldfusion.session.protectfixation system property to false has no effect on the problem. I added some code to the demonstration application to set and retrieve values stored in the session scope. Upon one browser forcing another browser's authentication to be lost, the session remains in tact for both browsers. The session ID generated by Tomcat does not change.

    We use ColdFusion configured to use J2EE sessions, however the problem exists regardless of whether this option is on or off.

    I can confirm that having the CFAUTHENTICATION data stored in a cookie vs. session makes no difference.

  • samihoda2

    7:39:42 AM GMT+00:00 Oct 1, 2012

    Hemant, we need to find a happy middle path.

    As an example, when doing automated QA testing, you often have Selenium or JMeter logging in multiple times, sometime from multiple computers, running tests using a single login. Creating 20 different logins for a 20 simultaneous user test is harder to manage.

    This is also concern if you have an app where users share logins.

    At the same time, addressing session fixation is definitely a concern.

    I would hate for it to be binary choice... either you have the protection or you don't.

  • Hemant Khandelwal

    6:38:14 PM GMT+00:00 Sep 30, 2012

    By using the following flag -Dcoldfusion.session.protectfixation=false the behaviour can be reverted to CF9 behaviour. However, caution must be taken to ensure you have tested your application against session fixation vulnerability.

  • samihoda2

    10:55:55 AM GMT+00:00 Sep 29, 2012

    This is a major issue!

Duplicate ID
Reported By JosephLamoree

Status

State Closed
Status Fixed
Reason

Importance

Priority 0-Unknown
Frequency All users will encounter
Failure Type Unspecified
Product Area Security

Build

Found In Build Final
Fixed In Build 284805

Attachments (1)

Votes (12)

  • A Martell

    3:56:42 PM GMT+00:00 May 10, 2013

    Backwards compatibility issue. Nice feature to have if it's desired. Please make this an optional setting.

  • Rafael Salomon

    10:42:00 AM GMT+00:00 Mar 31, 2013

    Please fix this. By default the cflocation tag appends CFIDE and CFTOKEN parameters which our users save into their bookmarks. Because ColdFusion isn't always smart enough to ignore those tokens when it should, the new system of only allowing a single login effectively logs our users out of their existing session when they access a bookmark. This is a MAJOR feature change and should've been announced somewhere. And it's a feature change for the worse. Please revert.

  • Josh_Souza_ViaWest

    12:07:36 PM GMT+00:00 Dec 14, 2012

    Our company has also been negatively impacted by this in our upgrade from CF8 to CF10. Please get a working remedy in place!

  • BKBK

    2:18:49 AM GMT+00:00 Oct 16, 2012

    I vote for the behaviour to revert to that of ColdFusion 9. If the user cannot use 2 identical login credentials at the same time, then he wont be able to open distinct parts of a ColdFusion application on 2 separate machines. However, this is a use-case that occurs frequently.

  • Mucharla Raja

    7:32:18 PM GMT+00:00 Oct 15, 2012

    I recently installed Coldfusion 10.When i login from first ie browser it logs me in and when i try to login from another ie browser it is throwing me out that there is active session which doesnt happen in CF9.I noticed that CFTOKEN is not genearating new token when i try login from second browser

  • ChivertonT

    5:50:33 AM GMT+00:00 Oct 8, 2012

    Adobe used to boast that code written for CF4 would still run, and that backwards compatibility has always been the gold standard - it's why we can't fix array/struct loop constructions using index when they mean item apparently.
    So this should be rolled back or changed to be off by default,

  • henrylearn2rock

    3:47:00 PM GMT+00:00 Oct 3, 2012

    Vote must be between 25 and 4000 characters.. who cares.

  • Kevin.Cruz

    6:10:08 PM GMT+00:00 Oct 2, 2012

    It's as if you're pulling for your own platform to fail by bringing it back into the stone age. Fix this.

  • st1n6r4y

    1:49:55 PM GMT+00:00 Oct 2, 2012

    We use multiple and concurrent logins to test applications via server side. Restricting it to one single login just doesn't make any sense, yes?

  • itisdesign

    12:19:35 AM GMT+00:00 Oct 2, 2012

    +1, a large number of popular sites (including Facebook.com, Adobe.com, Wikipedia.org, etc) support concurrent logins. This feature is a must in today's multi-monitor, multi-device world.

  • Adam Cameron.

    11:09:57 PM GMT+00:00 Oct 1, 2012

    +1. According to Shilpi on Twitter this is by design, but it's a major backwards compat issue. Needs to be modified so this behaviour is a) optional; b) off by default; c) not controlled at JVM level.

  • samihoda2

    10:56:32 AM GMT+00:00 Sep 29, 2012

    This is a major issue. I didn't see this change noted anywhere in CF10's documentation.

Your session has expired! Click to login
Current form data will be preserved

Cancel