Logging in and session.isLoggedIn variable not always created_问答_开发者

Logging in and session.isLoggedIn variable not always created

开发者 https://www.devze.com 2023-03-31 21:20 出处：网络

I have a user login page for id & password.This is passed to my authenticate file that does the standard lookup for the user.A successful login creates a session variable isLoggedIn and a userStru

I have a user login page for id & password. This is passed to my authenticate file that does the standard lookup for the user. A successful login creates a session variable isLoggedIn and a userStruct with profile related data and then continues on to the welcome screen. Within the welcome screen is a cfinclude to check if the session variable isLoggedIn is defined (as is the case in all pages). If isLoggedIn is not there the user is redirected back to login. This has been working just fine for the last 2 years but after an internal scan identified the following Adobe security issues 1. CSRF vulnerability in Adobe ColdFusion 8.0,8.0.1,9.0, and 9.0.1 http://kb2.adobe.com/cps/907/cpsid_90784.html 2. XSS vulnerabilities in the administrator console http://kb2.adobe.com/cps/890/cpsid_89094.html

I applied the security patches.

We have also updated Firefox to v.6 - though the problem occurs in IE as well.

Now, for some reason and there is no consistency, if you attempt to login it will return you back to the login screen. I have traced it to the check of the session variable mentioned above. I have checked the Db and it shows the users last login time has been upd开发者_JAVA百科ated to reflect the attempt to login. However, for some reason the session variable is not being created. If you clear your browser cache and restart your browser it will allow you to login as expected but after a period of time the issue returns. I could login in on Saturday but then could not on Monday. I cleared my cache and was able to login. I had no problem Tuesday - multiply logins through out the day. Then this morning it returned and I wasn't able to login again.

For testing purposes I did a roll back of the security patches and the problem went away but obviously I cannot leave it that way. I re-applied the patches and the issue returns and again with no consistent pattern.

Does anyone have any idea(s) they can pass along?

First thanks to all for the feedback

I believe I have found the issue according to this: http://kb2.adobe.com/cps/181/tn_18171.html

My authentication page does several checks when the user attempts to login - pwd check, pwd expired chk etc etc. If any of those chks fail I was using a CFLOCATION tag along with a URL parameter.

If all checks pass a session variable is set followed by a CFLOCATION tag

Long story short - according to the posting referenced above - I believe I fell right into Scenario 1.

I have updated the code and removed the CFLOCATION tags

It doesn't sound exactly like what you're describing, but is the situation detailed here - http://shilpikm.blogspot.com/2011/03/update-on-security-hot-fix-feb-2011.html - of any relevance?