Login credentials persist past logout when specifying loginStorage=Session
Issue
The loginStorage attribute of thecfapplication tag allows developers to store user authentication information in either a cookie or the session scope. However, when specifying Session to this attribute, the authentication information can persist beyond the user's session.
ColdFusion MX 6.1 introduced loginStorage as an optional attribute for the cfapplication tag. This attribute accepts two values for storing user authentication information (the cfauthorization value): Cookie (default) and Session. LoginStorage=Cookie will store login information in a memory-only cookie (CFAUTHORIZATION_applicationName) with a base64-encoded string containing the user name, password, and application name. Specifying loginStorage=Session persists login information in the user's session scope. This allows the user's login information and session data to share a single time-out and eliminates the passing of the user id and password with every request.
Occasionally when specifying loginStorage=Session, the user's login information remains cached after the user logs out. When this happens, another user (using the same browser session) can authenticate using her own user ID and password, but will be assigned the previous user's login credentials (for example, login name identified by GetAuthUser() and roles returned by IsUserInRole()). This inconsistent behavior is caused by thecflogout tag clearing the authorization keys from the session scope, but failing to clear them from the internal Security scope. Macromedia has identified this as issue 53320.
Solution
The workaround is to specify loginStorage=Cookie. This is the default value and the behavior does not occur when using cookies.
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
