Cflogin on a cluster.
I spent this week configuring ColdFusion 8’s security framework to operate on a clustered server environment. One of our client is using two windows servers with CF8 enterprise edition running on them. They are in a clustered configuration, and using J2EE session variables.
One item that we found important to note is that develops need to be aware that cf stores the user role in a local variable, not in the cookie itself. While this is good for security, it’s a bit of a pain in the ass as it requires you to re-authenticate the user as you move over to the second server. We settled on using the OnRequestStart function in Application.cfc .
At first we had wanted to store the login authorization using the application variable:
loginstorage = “session”
After a few tries it became apparent that the servers where not passing on the authorization variable in the session information. Everytime the alternate server kicked in, the user would get logged out, because the variable was not carried over.
loginstorage = “cookie”
Did do the trick however… I am interested in finding out if anyone out there has any experience using the loginstorage = “session” in a clustered environment?
3 comments so far
Leave a reply
How does loginstorage=”cookie” affect security of the app roles and session information? As i am developing in a similar environment as the client’s configuration and security is very important.
thanks.
does using loginstorage=”cookie” expose the users roles and session information in a way that it can be tampered with on the client side?
Tim, if you are using authentication on a cluster, the best security practice is to use Session based storage and enable J2EE Session variables. This way the Session identification information is obscured on the client side.