Prevent concurrent logins using cflogin

August 13, 2019
I try to bend the internet to my will.
Wizard 26 posts
Followers: 19 people
2

Prevent concurrent logins using cflogin

I try to bend the internet to my will.
Wizard 26 posts
Followers: 19 people
August 13, 2019

Today I discovered that you can prevent concurrent logins by using cflogin. This was added in ACF11 but completely passed me by and is a nice feature so thought it was worth a quick blog post in case others like myself weren’t aware of it. You may have noticed that the CFIDE doesn’t allow concurrent logins using the same account on two devices at the same time.

You may want to prevent concurrent logins (the same user account being used to login to the system at the same time) for additional security in your application. This can be done quite simply with cflogin by using the allowconcurrent attribute. Here’s a quick example:

cflogin(allowconcurrent="false") {
  cfloginuser(name=username, password=password, roles=userroles);
}

What this does is to login the given user and also invalidate any other active logins on other computers/devices for the given user.

Alternatively you may want to logout your user account from other computers, but preserve the login in your current browser. This can be done in CFML using cflogout and the session attribute like so:

cflogout(session="others");

The session attribute also accepts the values all and current. A value of `all` will logout the user everywhere, A value of `current` will logout the user on their current device (or browser) but not on other devices (or browser on the same device).

Documentation:

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-j-l/cflogin.html

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-j-l/cflogout.html

Further reading:

https://helpx.adobe.com/coldfusion/configuring-administering/security-enhancements-coldfusion-11.html#ChangesinSecureProfile

https://www.carehart.org/blog/client/index.cfm/2012/6/13/cf10_admin_allows_one_logon_at_a_time

Comments (2)
2019-08-14 19:14:57
2019-08-14 19:14:57

Hi Charlie,

Good points and thanks for posting them. I do encourage readers to have a look at your post (and blog in general) as there is lots of good information in there.

I skipped ColdFusion 11 so didn’t look quite as closely at what was new and improved in that release. I’m sure I most have read about it at the time but that feature just didn’t register in my memory!

Sorry about calling the CF Admin the CFIDE – I’ve never really thought about what it stood for – it’s just habit that I call it after the folder name!

Like
2019-08-14 14:37:55
2019-08-14 14:37:55

Hey, John (aka apy), thanks for the inclusion of my blog post for more on the cf admin feature related to this. But for those who don’t read it, something I note there (as a clarification of what you say) is that cf11 in fact added a feature to ALLOW multiple concurrent logins to the cf admin. (It was in cf10 that that was prevented.)

FWIW, the “secure profile” feature in the cf admin also allows control of that feature.

Finally, can I make a plea for folks to not call the cf admin “the cfide”? 🙂 I realize it’s IN a folder of that name, but that’s merely because there was consideration early in cf’s life for an online ide, which never came to pass. 🙂

Like
Add your comment