0

Currently I am handling redirecting someone to the login page of a CF2018 site via the onrequeststart method. If cflogin is not defined I include the loginform.cfm page. I am having an issue though when I recover from that after a session time out that I am looking for suggestions on how to handle.

Say I have a users page that manages users and on the main index page I have a button on each row that you can click to delete a user. From there the form is submitted to a users.cfc page with a delete function. I am also setting page variables like the page title etc. on the main users index page. If the session times out and someone clicks the delete button the loginform displays and they can log in. It works great, but then it tries to redirect back to the cfc and at that point the variables are not there and it throws a 500 error.

I am trying to think of how I should handle that. When the session times out should I fully redirect them back to the root instead of including the loginform.cfm template?

Any suggestions or thoughts are appreciated.

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
spacerobot
  • 265
  • 1
  • 5
  • 23
  • Let me get the obvious out of the way, try increasing your session timeout. From the time you are showing a page to the time someone wants to delete some data, should not be that long. – James A Mohler Jun 29 '21 at 14:26
  • Currently it is set to 30 minutes. – spacerobot Jun 29 '21 at 14:49
  • Sorry, but I have to be that guy: You fell for `cflogin` and now you are paying the price. But in all seriousness: You probably shouldn't dispatch at all. Send the delete operation via ajax and let the delete function return a response that indicates the result (success/failure, reason). Then handle the response clientside and show a modal dialog à la "delete not processed, because your session expired, please relog here" with a link back to the loginform that redirects to the main index page with the rows after login. – Alex Jun 29 '21 at 19:17
  • @JamesAMohler It's not uncommon that people are logged in, leave the workstation for hours, come back and expect to still be logged in. There are different ways to handle this. You could keep track of the idle time clientside and automatically show a warning that the session timed out after 30 minutes. Or you set a cookie with a unique login token that automatically relogs once the session times out. – Alex Jun 29 '21 at 19:21
  • @alex I really like the sound of that method. One question. Why do you say I fell for cflogin? Is there a different/recommended method for this? – spacerobot Jun 30 '21 at 17:26
  • @spacerobot Well, 10 years of working with ColdFusion taught me that relying on their "fancy special tags" usually means being stuck once you have to customize it or make it behave slightly different. If it suits your needs or you are just uncomfortable implementing your own password hash authentication, it's probably fine, don't worry. – Alex Jul 01 '21 at 00:04

1 Answers1

1

From there the form is submitted to a users.cfc page with a delete function.

If your form is directly posting to something like

action="users.cfc?method=delete"

then change that to

action="user_delete.cfm"

and invoke your CFC on that page.

That may react better to your onRequestStart() process checking with cflogin.

I would also suggest validating that cgi.request_method EQ "POST" before processing any delete requests or any form processing where method="post".

Adrian J. Moreno
  • 14,350
  • 1
  • 37
  • 44