I am working on merging ddspringle’s framework-one-secure-auth to an old website I am revising (and using as a learning tool to create secure login apps). I have come across a bit of a head scratcher and I do not know why it is doing this and hoping someone can enlighten me.
I am currently building a login page where it uses:
csrfGenerateToken( forceNew = true )
The login function works great, and the
csrfVerifyToken()
Responds as it should. I then moved on to building the OnRequestStart() function as laid out in:
CFDocs Security Authentication
After I got it setup I noticed my login page no longer functioned and narrowed it down to the csrfGenerateToken kept regenerating when I pushed my sign in button, so the page would redirect because it no long matched the stored value.
I narrowed it down to the onRequestStart() function, and this line:
<cfset sessionId = application.securityService.getSessionIdFromCookie( cookie[application.cookieName]) />
It seems that this line resets the application for some reason or another. The kicker to this, is this should not be accessed on my login page, here is my onRequestStart() (I converted from cfscript, since I am not use to writing in cfscript), the page of my login page is login.cfm:
<cffunction name="OnRequestStart" access="public" returntype="boolean" output="true" hint="Fires at first part of page processing.">
<cfset actionArr = ['login.cfm', 'index.cfm', 'client.cfm', 'validate.cfm', 'howto.cfm', 'contact.cfm' ] />
<cfif !arrayFind(actionArr, ListLast(CGI.SCRIPT_NAME, "/") ) >
<!--- need to be logged in to see this page --->
<cfdump var="I am firing" />
<cfif !StructKeyExists( cookie, application.cookieName ) >
<cflocation url="../login.cfm" addtoken="no" />
</cfif>
<cftry>
<cfset sessionId = application.securityService.getSessionIdFromCookie( cookie[application.cookieName]) />
<cfcatch type="any">
<cflocation url="../login.cfm" addtoken="no" />
</cfcatch>
</cftry>
<cflock scope='session' timeout='10' >
<cfset session.sessionObj = application.securityService.checkUserSession( sessionId ) />
</cflock>
<cfif session.sessionObj.getUserId() EQ 0 >
<cflocation url="../login.cfm" addtoken="no" />
</cfif>
<!--- not going to rotate sessionID
<cflock scope='session' timeout='10'>
<cfset session.sessionObj = application.securityService.rotateUserSession( session.sessionObj ) />
</cflock>
<cflock scope='session' timeout='10'>
<cfset session.sessionObj = application.securityService.updateUserSession( session.sessionObj ) />
</cflock>
<cfset getPageContext().getResponse().addHeader("Set-Cookie", "#application.cookieName#=#application.securityService.setSessionIdForCookie( session.sessionObj.getSessionId() )#;path=/;domain=#listFirst( CGI.HTTP_HOST, ':' )#;HTTPOnly") />
--->
</cfif>
<cfreturn true />
</cffunction>
As you can see, if the page is login.cfm, it should ignore the inner block, but it does not completely. I do not get the cfdump (which is correct, since it is not suppose to work for the page), but it does for some reason touch the above mentioned bit of code, which causes the token to be reset. But it should not be in that branch of code.
I tracked it down by <!— —> out individual blocks until I found it.
Any suggestions/reasons why this is occurring?