http://livedocs.adobe.com/ Macromedia LiveDocs - online documentation with user feedback. Copyright 2009, Macromedia, Inc. 2009-11-25T23:39:47 en-us http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#18266 I had to do this to make the idleTimeout work properly... <br /><br /><cfapplication name="EXAMPLE" loginStorage="session" sessionmanagement="Yes" setclientcookies="Yes"><br /><br /><!--- fixes CFLOGIN idleTimeout bug ---><br /><cfif isDefined("session.cfauthorization")><br /><cfset cookie.CFAUTHORIZATION_EXAMPLE=session.CFAUTHORIZATION><br /></cfif> 0 0 2004-07-09T12:04:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#4392 I noticed my application wasn't logging out after the idletimeout which I thought was weird as I based my code on the MM cflogin example. Found this in the forums which solves it and explains the problem:<br /><br />http://webforums.macromedia.com/coldfusion/messageview.cfm?catid=12&threadid=647844&highlight_key=y&keyword1=cflogin<br /><br />Seems like the <cfif NOT IsDefined("cflogin")> breaks the idletimeout state for some reason (bug?)<br /><br />Anyway thought this would be helpful for anyone who is looking at cflogin. Doug Cain 0 0 2003-12-08T19:24:44 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#862 wow i looked all over the place wondering what i was doing wrong with my app and here i find out its IIS ... bah .. im glad i finally found the info .. but you should SAY THAT .... Slam 0 0 2003-05-10T08:13:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#794 Tom, that fix does not solve the problem I raised, which is that the example of find statuscode 401 authentication (code above on this page) simply fails to work if IIS integration is implemented. It works find on the built-in web server. <br><br>I don't know if you were referring to that problem in your note above, but changing the authentication settings for the directory in IIS made no difference to the code. My testing has shown that CF is simply not setting the CFLOGIN scope if the user is coming in through IIS. <br><br>This is on both the base version and the updater 1. carehart@systemanage 0 0 2002-12-05T04:09:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#795 The problem is in the default IIS settings. To get the cflogin tags to work properly -- allowing the setCredentials() method to work in Flash Remoting -- you need to open up IIS admin interface and right-click on your Web application and choose Properties > Directory Security > Anonymous Access > Edit. Here you will have to uncheck the Integrated Windows Authentication. Using integrated authentication only allows users that are set up under Windows to access pages in a directory protected by a cflogin system. The system works perfectly with the built-in CFMX web server. Screenshot of the admin interface of IIS at http://www.flash-remoting.com/notablog/images/iis_auth.jpg<br> tommuck 0 0 2002-11-30T22:29:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#752 More on that statuscode 401 approach to authentication, I found something interesting in Chapter 11 that may be useful for readers to note. (It's not related at all to the issue I just brought up about it failing on IIS.)<br><br>Chapter 11 has this statement about how the "realm" feature of this approach can be used which ought to be present on this page as well:<br><br>"The security realm name can be used to bind multiple directories together. If Application.cfm files located in those directories use the same realm name, only a single login is required to access resources in those directories. However, each Application.cfm file can establish different roles for a user. "<br><br>If it does indeed work, that's cool to know (and a potential explanation for when people find that use of the approach in one directory causes users to login without an authentication prompt in another directory.)<br><br>/charlie carehart@systemanage 0 0 2002-11-29T23:11:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#746 Regarding the feature described in the section "Using application-based security with a browser's login dialog", of using using the status code 401 access denied approach to authentication, I (and others) have found that it fails with web server integration using IIS. It does work against the built-in web server. I've found no other references to this in the forums, the knowledge base, nor these livedocs comments.<br><br>When run under IIS, you can never authenticate (using the sample admin/p1 combination for username/password that's offered in the code example).<br><br>This is really annoying, if for no other reason that the docs don't say it shouldn't work. Has anyone else experienced or explored this? carehart@systemanage 0 0 2002-11-29T23:06:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#694 If you have a problem with CF MX caching login information upon logout, try moving the cflogout tag below the cflogin tag. jochemd 0 0 2002-10-21T20:31:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#687 This page's "Application-based user security example" must be changed to clarify that the "cflogin" scope will exist <b>**only**</b> if the form being used for the login uses j_username and j_password for the input fields. <br><br>If the user doesn't notice this and just uses "username" and "password" on their own (rather than cutting and pasting the form offered in the code later in the page), they'll find that the code doesn't work at all--because the first test for isdefined("cflogin") is never true.<br><br>This isn't at all obvious. carehart@systemanage 0 0 2002-09-14T20:38:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#643 URL is a reserved word. I have entered this as doc bug number 47944. rnielsen 0 0 2002-09-10T20:09:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#468 Here is how I solved that error...<br><br><cfset URLTMP="http://" &"#CGI.Server_name#" & ":" & "#cgi.SERVER_PORT#" & "#CGI.Script_name#"><br><cfif CGI.QUERY_STRING is not ""><br> <CFset URLFIN=URLTMP & "?#CGI.QUERY_STRING#"><br><cfelse><br> <CFset URLFIN=URLTMP><br></cfif> <br><H2>Please Log In</H2><br><cfoutput><br> <form action="#urlfin#" method="Post"><br><br> sgilson102 0 0 2002-06-24T17:20:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#421 In the following code (used in a couple of places)<br><cfif GetAuthUser() NEQ ""><br> <cfoutput><br> <form action=MyApp/index.cfm" method="Post"><br> <input type="submit" Name="Logout" value="Logout"><br> </form><br> </cfoutput><br></cfif><br>there is a double quote missing from the front of MyApp/index.cfm" cfmxdave 0 0 2002-05-13T13:32:00 http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity5.htm#420 In the section ?Application-based user security example? there is a code example for loginform.cfm.<br>The first line creates a variable called url that is used as the action page for the form. I found that this throws an error when the page gets to the form declaration. The error says something about this being a complex variable when it should be a simple variable. I was able to remedy the situation by changing the variable name ?url? to ?newurl? (or anything else for that matter) in all instances.<br> cfmxdave 0 0 2002-05-13T13:14:00