0

My client has moved their Fusebox code from CF8 on Windows Server 2003 / IIS 6 to CF10 on Windows Server 2008R2 / IIS 7.5. The application uses a file, similar to application.cfm, to handle session management:

<cfapplication name="Succman" clientmanagement="yes"
           sessionmanagement="yes"
           setclientcookies="yes" setdomaincookies="no"
           sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)#"
           applicationtimeout="#CreateTimeSpan(1, 0, 0, 0)#">

In the CF8 site, when browsing to a direct URL, the browser is redirected to a page requesting authentication. However, in the CF10 site, the browser bypasses the redirection and goes straight to the requested page.

I have verified the authentication methods in IIS on both the CF8 and CF10 servers match. In the CF10 admin, Secure Cookie is disabled in Session Cookie Settings.

As the server admin, I feel that I've verified the server settings and feel it is a code issue for the developer to address. I am looking for guidance in how I can help to resolve this issue. Any assistance is appreciated.

UPDATE: After adding a mapping to C:\ColdFusion10\cfusion3\wwwroot\CFIDE\ in the sandbox, the following exception occurs:

13:15:48.048 - CurrentUserNotFound Exception - in //isgnas_dev01/DEV03.GRP/smise/webroot/tools/helper_modules/getcurrentuserstruct.cfm : line 27
    Unhandled Exception of type 'CurrentUserNotFound'

I'm assuming this is because the user hasn't authenticated yet as the page still does not get redirected to the authentication page.

SOLUTION: Developer commented out the code that redirected users to log in page.

aparker81
  • 263
  • 1
  • 5
  • 23
  • 1
    When in doubt, look at the data. cfdump var="#session#" would be a good place to start. – Dan Bracuk Sep 22 '14 at 22:00
  • What do you mean by 'similar to application.cfm'? Does this mean you are not using application.cfm? What is the name of the file that contains the `cfapplicatoin` code above? – Scott Stroz Sep 23 '14 at 03:06
  • @ScottStroz, instead of calling the file application.cfm, it's called app_locals.cfm – aparker81 Sep 23 '14 at 17:03
  • @DanBracuk, it appears the session data is empty. Dumping the variable returns a sessionID, URLtoken and UserIsAuthorized (equals false). – aparker81 Sep 23 '14 at 17:55
  • There is a `cfapplication` tag in a file other than Application.cfm? Is it safe to assume that file is included on every request? – Scott Stroz Sep 23 '14 at 19:25
  • Sigh...well, it appears that the line that redirects the user to the authentication form was commented out. After I removed the comments, the developer confirmed the application was working as expected. *facepalm* Thank you for your assistance. – aparker81 Sep 23 '14 at 19:35

0 Answers0