getAuthUser needs CFLOGIN

I discovered during some DRK research that the getAuthUser and isUserInRole functions will only work if the CFLOGIN tag was encountered previously within the scope of the same request. In other words, if your CFLOGIN tag is not in your Application.cfm file, and you try to call getAuthUser or isUserInRole during the scope of a request where no CFLOGIN tag was encountered, you get an empty string and false respectively. I never noticed this before because I always have my CFLOGIN tag in my Application.cfm file, where it was clearly intended to go. Fortunately, a quick <cflogin/> tag before you call getAuthUser or isUserInRole fixes the issue by making the necessary variable scope available.

8 Responses to getAuthUser needs CFLOGIN

  1. Brandon says:

    One other case where getAuthUser() gets populated is when you use basic authorization in a webserver and you do not use CFLOGIN. It will be poplulated with the value of cgi.auth_user.

  2. Phil Botana says:

    Please let me know if you or anyone else can help me with this ColdFusion, CF 5.1 position located in San Francisco, CA. The client needs Coldfusion, Oracle, UNIX/Solaris, JavaScript.Regards,PhilPhil BotanaI T A S C E N T47 Kearny Street, Suite 500San Francisco, CA 94108General 415 321 1000Direct 415 321 1006Cell 408 835 6874Fax 415 321 1010Email Pbotana@itascent.comPerson ~ Team ~ ProjectFeel free to visit us at…www.itascent.comPOSITION OFFEREDThe position will start as soon as possible. A number of systems have been developed using Cold Fusion and JavaScript as the interface with Oracle 8i as the database in a Unix environment. These systems share core data about the judiciary, while performing a number of different functions. Writing – Coldfusion queries to Oracle, building interfaces in CF 5.1. There is some level of Business Analysis as well.This position requires a person with extensive experience with creating interfaces and developing interactive Internet systems with many data entry pages. The primary languages used are Cold Fusion and JavaScript. The candidate must have at least 5 years of Cold Fusion experience, and have developed large multi-page systems with databases with hundreds of tables. Structured methodology and reusable code is a priority. Oracle procedures for insert and modification of thedatabase will be supplied. The candidate will create many complicated queries into the database.Analyze and Evaluate- Researches, recommends, and applies new technologies;- Investigates, analyzes, and evaluates project feasibility;- Analyzes functional systems requirements, and advises, and instructs in the use of the interface tools- Recommends solutions to technology problems- Assists in the definition of overall system architecture requirements- Works with project team to develop technical requirements documentation- Works with project team to prepare comprehensive written analysis of problems and solutions; and- Works with project team on product evaluations.Design- Works with team to develop technical specification documentation- Works with vendors to resolve software problems.Develop- Works with vendors to develop required systems interfaces, objects, and reports, as requested;- Develops custom objects as required- Develops alternative solutions for business and system development problems- Uses standard procedures and techniques to coordinate the creation and modification of programs and resolve more complex problems of design, development, implementation, and support; and Resolves complex problems related to interfaces and connectivity of multiple hardware. +- Ensures appropriate documentation for system support;- Coordinates infrastructure support with Information Services peers;- Monitors applications and interfaces to ensure high performance; and- Provides on-going problem resolution application support.OTHER QUALIFICATIONSKnowledge of Principles of information systems architecture for enterprise-wide systems deployment such as multi-tier, distributed and client/server system architecture and development principles, and internet/intranet application delivery mechanisms; andPrinciples and techniques of program design, development, testing, and documentation; Ability to Organize, prioritize, and coordinate multiple work activities and Meet project deadlines; Explain technical issues to senior management in a non-technical manner; Ability to map business processes to information system tools; andAbility to analyze, select, and work with experts to install Information System tools for business applications. Equivalent of a bachelor’s degree, preferable with major course work in computer science and five years of experience in the analysis, design and development of applications software and other information systems.In addition to the above, the successful candidate will possess the following qualifications: Experience as the lead person in developing and implementing a major Software system; Experience with UNIX environments and the Sun SolarisTM operating system.

  3. David Gassner says:

    I believe that the point made in the first message of the thread is incorrect. CFLOGIN does not deliver the user credentials, CFAPPLICATION does. Here’s proof. Try this code on an otherwise empty page:<cfapplication name=”test”><cflogin><cfloginuser name=”test” password=”test” roles=”test”></cflogin><cfoutput>User: #getAuthUser()#<br>In role? #isUserInRole(“test”)#</cfoutput>Now, without closing the browser, delete the CFLOGIN tag and its contents and browse the page again. The user credentials are still present. It’s the combination of the application name and the authorization cookie that make the user credentials available. cflogin only protects authentication logic from being executed for users who have already been authenticated.–David Gassner

  4. Laura says:

    That was exactly what was happening to me. I had the cflogin tag in a page different than application.cfm and it was showing the user as not logged in. It was driving me crazy!Thanks for the solution.Now, this can’t be the intentional behaviour and it is not documented anywhere. Is this a bug?

  5. The post is not incorrect. If you have the sessionManagement attribute set to true, you have to have a CFLOGIN tag in the scope of your request to use the specified functions properly.Christian

  6. Jamie says:

    Hi there,I have my cfapplication and cflogin in an application.cfm file.However, it is being used for my web services (.cfc) and it seems that when I use GetAuthUser() within my functions that the same issue above occurs that it returns nothing.I’m not quite sure I follow the solution. Do I just need to call and then call GetAuthUser() or does the call to GetAuthUser() need to be inside the cflogin tags?Thanks,

  7. Kevin says:

    I was not clear on this either, and the stupid examples on maot peoples sites show a login form included in application.cfm which is goes against every good practise I know.If you have a seperate login page (which you probably do, because this is what causes the funkiness of cflogin) All you have to put in the application.cfm is or a self closing as mentioned above.On your login.cfm page (or whatever you call it) You have the full blownto actually ge tthe user info to store. then place the cflogin tag alone in t application.cfm to allow the login scope to be accessed.This will allow the getAuthUser() and other functions to retrieve the logged in user information.Very odd indeed, but this is how it works.

  8. Kevin says:

    please forgive my bad spelling . . .