I have an application written in ColdFusion that allows users to log in. My login page is in the root directory in a sub-directory called "login". During the login process, the system checks the username and password against my database, and assuming they are legit, it sets a Session variable of "Session.LOGIN_ID". At the bottom of my login script, I can print the login_id to the browser without any problem. However, the last part of my login script is to redirect the user to the main home page, which is located in the root directory in a sub-directory called "main", and once in awhile the page fails to load and rather directs the user back to the login screen with a message stating that their session has ended due to inactivity.
I have a Application.cfc file defined in the "main" folder, with a onRequestStart method defined that checks for the Session.LOGIN_ID being defined. If it is not, it redirects the user back to the login page and shows the message that their session has ended due to inactivity.
My question is, why does my session variable not present in the onRequestStart method? It's strange because if I clear my browser cache and login, I'm able to log in without any problem.
Does this make sense to anyone? Any suggestions as to what I could look for that could be causing this problem? I tried to dump the session vars using cfdump var=#session# from within the onRequestStart method and CF throws and error stating that SESSION is undefined.
UPDATE
In response to Adam's request, there are not multiple domains involved. Also, no switching from HTTP to HTTPS. The login page however is not bound by the Application.cfc because the login page is located in my "login" folder. The Application.cfc file is located in the "main" folder, along with the other components of my application. As far as the screen shot of the cfdump, I don't want to offend anyone but I can't really post the screen shot due to the fact that it contains information pertaining the site and I'm not authorized to post such information. I can say that when I try to do a cfdump of the session scope, it DOES show a few items in the list such as cfid, tokenid etc. However the session.login_ID is not present.
UPDATE
Okay, so taking the suggestion from Frank I have the onRequestStart method set up so that it sends me an email with a dump of the session and cgi scope. I found the following. In the Session dump, the cfid is equal to 4830, and the cftoken starts with b8e0d5... However, in the CGI dump, under HTTP_COOKIE, the value says CFID=4609; CFTOKEN=dd15bc0.... Are they supposed to match?
For me, the situation was resolved by enabling J2EE sessions variables from within CF Administrator. See related post here https://forums.adobe.com/thread/1058200
This is a formatted comment in response to, "I just noticed that the items didnt match in the dump and figured I'd mention it in case they SHOULD match".
Whether or not they should match is up to the programmer, not us on StackOverflow. However, you debug this sort of things as follows.
if(actual result == expected result)
output 'yes'
else
output 'no' and the actual result and the expected result
Related
This is not ColdFusion specific, but the server is ColdFusion 10 on Windows Server.
About once a day I'll get a log file of a string of missingtemplate errors, and I can't figure out if this is a typo somewhere on my part, or a user doing something, or some sort of exploration exploit.
The most recent one from last night doesn't seem like it affects the user, as by following CGI.QUERY_STRING I can see they come to the home page, hit our login_action.cfm page to log in, get into the logged in area and then again following the CGI.QUERY_STRING I can see what pages they were on by the URL variables.
The missing template target page argument is always this:
TARGETPAGE /https:/secure.domain.com/index.cfm
Which shows this for path translated and script name
PATH_TRANSLATED D:\web\site\https:\secure.domain.com\index.cfm
SCRIPT_NAME /https:/secure.domain.com/index.cfm
After she logs in I can see by the CGI dump that she is indeed logged in OK
PATH_TRANSLATED D:\web\site\https:\secure.domain.com\user\login\index.cfm
Under the query_string I'll be able to see what pages she's on with ?p=home, ?p=editaccount (URL would be index.cfm?p=home etc.)
I don't believe this is malicious, nothing is exposed to the user as far as error reporting, but nonetheless I'd like to figure out why / how this happens about once per day on this application, and understand how it does not seem to effect the user on the site yet throws these missingtemplate errors.
You may have a malformed link somewhere in your app.
Look at the referrer of the error page, then inspect that previous page on the client side (as a user).
Also look at the user agent. It could be a browser trying to pre-fetch pages - and I'm assuming one is from a malformed link.
I have a mirror API based app in which i have assigned a custom menu item, clicking on which should insert a new card. I have a bit of problem in doing that. I need to know of ways i can debug this.
Check if the subscription to the glass timeline was successful.
Print out something on console on click of the menu.
Any other way i can detect whether on click of the menu, the callback URL was called or not.
It sounds like you have a problem, but aren't sure how to approach debugging it? A few things to look at and try:
Question 1 re: checking subscriptions
The object returned from the subscriptions.insert should indicate that the subscription is a success. Depending on your language, an exception or error would indicate a problem.
You can also call subscriptions.list to make sure the subscriptions are there and are set to the values you expect. If a user removes authorization for your Glassware, this list will be cleared out.
Some things to remember about the URL used for subscriptions:
It must be an HTTPS URL and cannot use a self-signed certificate
The address must be resolvable from the public internet. "localhost" and local name aliases won't work.
The machine must be accessible from the public internet. Machines with addresses like "192.168.1.10" probably won't be good enough.
Question 2 re: printing when clicked
You need to make sure the subscription is setup correctly and that you have a webapp listening at the address you specified that will handle POST operations at that URL. The method called when that URL is hit is up to you, of course, so you can add logging to it. Language specifics may help here.
Try testing it yourself by going to the URL you specify using your own browser. You should see the log message printed out, at a minimum.
If you want it printed for only the specific menu item, you will need to make sure you can decode the JSON body that is sent as part of the POST and respond based on the operation and id of the menu item.
You should also make sure you return HTTP code 200 as quickly as possible - if you don't, Google's servers may retry for a while or eventually give up if they never get a response.
Update: From the sample code you posted, I noticed that you're either logging at INFO or sending to stdout, which should log to INFO (see https://developers.google.com/appengine/docs/java/#Java_Logging). Are you getting the logging from the doGet() method? This StackOverflow question suggests that appengine doesn't display items logged at INFO unless you change the logging.properties file.
Question 3 re: was it clicked or not?
Depending on the configuration of your web server and app server, there should be logs about what URLs have been hit (as noted by #scarygami in the comments to your question).
You can test it yourself to make sure you can hit the URL and it is logging. Keep in mind, however, the warnings I mentioned above about what makes a valid URL for a Mirror API callback.
Update: From your comment below, it sounds like you are seeing the URL belonging to the TimelineUpdateServlet is being hit, but are not seeing any evidence that the log message in TimelineUpdateServlet.doPost() is being called. What return code is logged? Have you tried calling this URL manually via POST to make sure the URL is going to the servlet you expect?
I am currently running Coldfusion 8,0,1,195765 on a Windows 2003 SP 2 server over IIS 6.0.
I needed to change one of the Mail Server Settings in the ColdFusion Administrator, but when I clicked Submit Changes, the page appeared to refresh, and the field was reverted.
I made a change to another page to make sure that changes could be made, and sure enough, the change was applied.
There are no errors shown - everything looks normal, aside from the change.
I was able to make my changes programatically, using mail.cfc, and my change did appear in CF Admin.
My concern is that mail functions have been corrupted or compromised - my primary request for the stackoverflow gurus is how can I restore my Mail Server Settings functionality?
My secondary request is How could this have happened?
Thank you for reading my question.
I am having a similar problem with debugging.
Regarding your first question... You can access the administrator api programatically. Here's how you can verify connection and verify what the current settings are:
<cfscript>
/* you must log in first */
adminObj = createObject("component","cfide.adminapi.administrator"); // this assumes default installation
adminObj.login("password"); // enter your cf admin password
mailServerObj = createObject("component","cfide.adminapi.mail");
value = mailServerObj.getMailServers();
</cfscript>
<cfdump var="#value#">
Value is an array of your current mail server settings.
To make a change change the last part of your script to:
mailServerObj = createObject("component","cfide.adminapi.mail");
mailServerObj.setMailServers(
"yourMailServer",
portNumber,
username="yourUsername",
password="yourPassword",
priority="yourServerPriority");
value = mailServerObj.getMailServers();
The only required value is the entry for yourMailServer. Also, the optional value, portNumber, must be numeric.
Check out http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=basiconfig_37.html for the Adobe documentation for using the Administrator API.
You can also see a complete listing of the Administrator API CFC and their respective functions, check out http://www.cfexecute.com/admin-api-documentation/
I'm trying to make integration of etherpad-lite in the CMS Plone, following Example 1 of the official documentation http://etherpad.org/doc/v1.2.7/
Portal places the cookie "sessionID" with the given value on the client and creates an iframe including the pad.
Everythings goes well except for the cookie. Reading documentation the best pratice seems to make etherpad-lite in the same domain under a specific path. This is what I have done using /pad/ path.
Plone side if no session has been created, I created on, I add a cookie and then I'm doing a redirect to the same page to be sure the cookie is in the browser.
As a results my cookie is added to the request of the main page but not ob the iframe request.
Here is the google chrome console network tab for the main page and the iframe:
http://toutpt.makina-corpus.org/en/images/cookie-in-iframe/
The code corresponding to the setCookie is at https://github.com/toutpt/collective.etherpad/blob/master/collective/etherpad/archetypes.py#L100
For posterity, here's the answer from #AskoSoukka identified and "accepted" in the comments above:
How does the actual cookie stored in you browser look like? Probably, you need to explicitly specify path="/" in setCookie kwargs to make it work for the whole domain.
Been trying to figure this out for an hour now and I'm stymied. Simple site that allows employees to register. Typically the employer has a company wide u/p for all employees to use to access the registration page, but client also wanted a way to give employee a link to auto-login to register.
Simple enough - created a page "r.cfm" that looks for URL.emid (encrypted employer ID) and URL.h (5 character hash as a check based on the decrypted employer ID). A full URL may look something like this:
https://www.domain.com/r.cfm?emid=22EBCA&h=F5DEA
r.cfm makes sure the correct URL vars are there, decrypts the emid, compares the check value and if all is correct sets some session vars as such:
<cflock scope="session" type="exclusive" timeout="10">
<cfset SESSION.LOGGEDIN = TRUE/>
<cfset SESSION.LOGIN.EMPLOYEE.COID = DecryptString(url.emid)/>
</cflock>
I think use CFHEADER 302 and CFHEADER location to send them onto the next page. Here's where it gets weird. On the next page I setup some test code to e-mail me a dump of the session.
If clicked directly in MS Word I get to the 2nd page (the one from the cfheader redirect - employeeRegister.cfm) and I get not one - but two e-mail dumps of the session. The first one shows logged in as true, but the 2nd one shows it as false with a different jsessionid.
If I take the exact same link, paste it into my browser, it works as expected - one e-mail with a session dump showing that session.logged in true.
There is nothing on employeeRegister.cfm that would initiate a page reload. It actually doesn't even check the session.logged in var until the following page. employeeRegister.cfm is simply terms and conditions and a submit button to go to the next page, which is where the session vars are read and checked. It is literally a div with text and then a form tag with accept / decline.
This is because the office product initially tries to act as the browser (to test for web authoring) instead of handing off control to the browser right away. By the time the browser gets control of the url a valid session doesn't exist because office isn't going to share cookies. Without a valid session cookie you end up getting logged out during subsequent redirects or navigation of the site in question.
These MS KB article should help you solve the problem.
http://support.microsoft.com/kb/899927 <- mostly
http://support.microsoft.com/kb/218153 <- more info about Office links