This marks the first installment of a new monthly column, Community Focus, and the end of a long-running column, Tales from the List.
Due to the rapid growth of ColdFusion community news and events and the growing popularity of blogs (Web logs) amongst ColdFusion developers, it no longer seems appropriate to focus on one list server for a "messages from the trenches" type article. Each month, Community Focus will explore trends, Macromedia news, events, blog entries, and list server threads, focusing on what's going on in the community? or at least one facet of what's going on in the community. This month's issue is focused heavily on security, so following a series of blog entries, I will join suit and do the same.
This month's column is about securing applications or, rather, problems with securing applications. Macromedia recently released a TechNote written by Sarge (www.macromedia.com/support/coldfusion/ts/ documents/loginstorage_caching.htm) in which he describes a problem with the CFLOGIN tag. Apparently, when the CFAPPLICATION tag "loginstorage" attribute is set to "session" the CFLOGOUT tag doesn't always properly delete the internal variables used to store session information, only the session variables. This can result in one user logging out and another user logging in on the same browser only to receive the other user's credentials.
Ray Camden blogged about it (Ray's blog can be found at www.camdenfamily.com/morpheus/blog/) and offered a solution that basically consists of doing a CFLOGOUT whenever "session.user" is not defined. This works fine if you don't assume that all users are logged in, but is a bit of a hack in that sometimes you want to assume authentication and just make people who haven't submitted a login form seem as authenticated as an "anonymous" or "guest" user.
For those of you who are not aware, JRun and many/most other Java applications use a standard Java package called JAAS (Java Authentication and Authorization Service) to handle security. ColdFusion, under the hood, also uses this framework to handle authentication/authorization whenever you use the CFLOGIN/CFLOGOUT/CFLOGINUSER tags or getAuthUser() function. I recently blogged about problems with authentication against the JAAS framework in a clustered environment. As many of you may already know, I am a freelance consultant currently working on a contract in London. My current client offers several products to clients and has a single common authentication/authorization module. All of their software offerings are developed in ColdFusion, Java, or a hybrid of the two. We also recommend running our software in a clustered environment. To our dismay, we've found that JAAS authentication on one server in a JRun cluster does not fail-over to other servers in the cluster.
The same holds true for the CF authentication/authorization tags and functions. I blogged about this at www.horwith.com.
After writing the TechNote, Sarge made an entry in his blog (found at www.sargeway.com/sarge/) that describes how using cookie storage for authentication (via the CFAPPLICATION "loginstorage" attribute) doesn't work properly either because sometimes when a session times out, the authentication cookie remains. Even though the session is empty, getAuthUser() still returns the last logged-in user's info (in the same browser). To expand on this it's also worth noting that if you authenticate against a "pure JAAS module" (e.g., a JAAS module written in Java, not CF) you are seen as logged in by ColdFusion; if you do a CFLOGOUT, it does not log you out of the Java application - even with common context roots and/or EAR/WAR deployment.
