Warning about the ColdFusion Admin API and CFLOGON

coldfusion (This post is more than 2 years old.)

I ran into an interesting little issue last night when I was writing my blog entry on the Server Monitoring API. For some reason my ability to add blog posts stopped working. I thought something crazy was going on until I noticed something. My username had switched from the username I used to logon to BlogCFC to the username "admin". Why?

Remember this code from my demo:

<cfinvoke component="cfide.adminapi.administrator" method="login" adminPassword="mypasswordcanbeatupyourpassword">

From what I can tell, this code actually uses CFLOGON. Since my ColdFusion Administrator doesn't have a username, just a password, it used "admin" for the username. So when I was reloading both my blog and my demo, my getAuthUser() was switching back and forth.

If I read this right (and I could be wrong), it means that you cannot use the Admin API from within the context of an Application that is using CFLOGON. Frankly this might be the last nail in the coffin for me and CFLOGON. I'm going to file a bug report on this but I wanted to give folks a warning as it certainly worried me.

Hire Me!

I'm currently looking for my next role in developer evangelism and advocacy. I have a long history of helping companies work with developers and love to write, create demos, and present at conferences. You can find my resume to learn more and drop me an email (raymondcamden@gmail.com) to reach out.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by Simon Green posted on 6/16/2007 at 12:44 AM

Ray,
I'm pretty new to CF about 16 months now and i suppose this is not directly related to you post but you say you might abandon the use of CF login. That's all i use to secure my applications at the moment what other technique would you in it place and why other than the reason you have stated about admin API issue.

Simon

Comment 2 by Raymond Camden posted on 6/16/2007 at 12:54 AM

Ah, heh, well, it is an old beef. Not that the feature is bad or anything, but I've found that in _my_ development, I have problems with it. A lot of my problems were fixed in CF8:

http://www.coldfusionjedi.c...

But my primary complaint, and I think I talk about it in the blog entry - is the lack of being able to separate a login session from the web server and from my CF app. Let me know if that doesn't make sense.

Comment 3 by Michael White posted on 6/16/2007 at 5:40 PM

I found a weird problem with cflogin and session ending. it seems your session can be cleared out but coldfusion still considers you logged in and you have to explicitly cflogout to get rid of it... that had me going for a while. I'm looking forward to improvements in cf8... it's a lot of work to build a security system from scratch.

Comment 4 by Raymond Camden posted on 6/17/2007 at 2:52 AM

Michael, did you remember to use loginStorage="session"? If you forgot, than your logon 'scope' isn't the same as your session.

Comment 5 by Michael White posted on 6/17/2007 at 3:21 AM

I must have missed that in the manual, or it wasn't in the examples or some other lame excuse...

Comment 6 by Dax Kent posted on 1/15/2014 at 7:48 AM

Sorry to drag up a dead horse,

but was this issue ever addressed? I'm having the same problem in CF 10.
createObject("component","cfide.adminapi.administrator").login overwrites my getauthuser().

Comment 7 by Raymond Camden posted on 1/15/2014 at 7:52 AM

I don't think it ever was. I wish I had a bug # for ya. I know I logged it.