Search code examples
authenticationcoldfusionhttp-redirectcoldfusion-9http-referer

Why is ColdFusion redirects to current page after authentication rather than target page?

I have a situation where after the user authenticates and it comes back to the current page instead of to the target.

  1. User enter the search word and click enter.
  2. The search page shows the result on the page with links.
  3. The user clicks on the link to see the details page.
  4. The details page requires authentication.
  5. It redirects the user to the authentication page. At this point in the custom_application.cfm page, it shows the HTTP_REFERER as:
    https://devbox.mysite.com/search/?search=calendar
  6. The user authenticated and then it comes back to the https://devbox.mysite.com/search/?search=calendar page instead of to the https://devbox.mysite.com/kb/article/calendar page, which is the link that the user clicked and wants to go there.

I found this article by Ben Nadal that talks about the issue with CFLocation but it does not provide solutions to the issue or at least I don't feel like there was a solution for my situation.

Here's part of the code in custom-application.cfm file:

<cfif cgi.query_string contains "login=1">
    <cfif not cgi.query_string contains "forcelogin=1">
        <cflog text="SERVER_NAME: #cgi.SERVER_NAME#" type="Information" file="Authentication">
        <cflog text="PATH_INFO: #cgi.PATH_INFO#" type="Information" file="Authentication">
        <cflog text="PATH_TRANSLATED: #cgi.PATH_TRANSLATED#" type="Information" file="Authentication">
        <cflog text="SCRIPT_NAME: #cgi.SCRIPT_NAME#" type="Information" file="Authentication">
        <cflog text="QUERY_STRING: #cgi.QUERY_STRING#" type="Information" file="Authentication">
        <cflog text="REMOTE_HOST: #cgi.REMOTE_HOST#" type="Information" file="Authentication">
        <cfif cgi.http_referer contains "search/?search=">
                <cflog text="cgi.http_referer contains: #cgi.http_referer#" type="Information" file="Authentication">
                <cfset tmp=ReReplace(cgi.http_referer, "^.+\.mysite\.com", "")>
                <cfset scriptName=ReReplace(cgi.script_name, "^index.cfm\.+", "")>
                <cflog text="scriptName: #scriptName#" type="Information" file="Authentication">
                <!---<cfset qryString=ReReplace(#tmp#, "/search/?search=", "")>--->
                <cfscript>
                    qryString = replace(#tmp#, "/search/?search=", "", "All");
                </cfscript> 
                <cflog text="qryString: #qryString#" type="Information" file="Authentication">
                <cfset session.preauthurl="#request.author_url#/kb/article/#qryString#">
                <cflog text="After cfset session.preauthurl: #request.author_url#/kb/article/#qryString#" type="Information" file="Authentication">
                <cflocation url="#request.author_url#/authenticate.cfm" addtoken="no">
            <cfelse>
                <!---<cfset session.preauthurl="#cgi.http_referer#">--->
                <cflog text="session.preauthurl-172: #session.preauthurl#" type="Information" file="Authentication">
                <cflog text="cflocation url: #request.author_url#/authenticate.cfm" type="Information" file="Authentication">
                <cflocation url="#request.author_url#/authenticate.cfm" addtoken="no">
        </cfif>
        <!---<cfset session.preauthurl="#cgi.http_referer#">
        <cflocation url="#request.author_url#/authenticate.cfm" addtoken="no">--->
    <cfelse>
        <cflocation url="#request.author_url#/authenticate.cfm" addtoken="no">
    </cfif>
</cfif>

And here's part of the code in authenticate.cfm file:

    <!--- if this user is not marked as a "licensed contributor", mark them as such.--->
    <cfif session.user.LICENSEDCONTRIBUTOR eq 0> 
        <cftry>
            <CFLOCK SCOPE="Session" TYPE="Exclusive" TIMEOUT="5" THROWONTIMEOUT="Yes">
                <cfquery DATASOURCE="#session.user.USERSDATASOURCE#" NAME="updateContributor">
                   UPDATE Users
                   SET LicensedContributor = '1'
                   WHERE ID = #session.user.id#
                </cfquery>
                <cfset session.user.LicensedContributor = "1">
            </CFLOCK>
        <cfcatch>
            <cfoutput>Error in /authenticate.cfm: An error occurred while trying to log in. Please try again.</cfoutput>
        </cfcatch>
        </cftry>
    </cfif>

    <cflog text="preAuthUrl-63: #session.preAuthUrl#" type="Information" file="Authentication">
    <!---we are now logged in, so redirect somewhere--->
    <cfif session.preAuthUrl eq "">
        <!---not sure where we came from, so redirect to the homepage--->
        <cflocation url="/" addtoken="no">
    <cfelse>
        <!---The tmp here will cause interna server error because it was not defined anywhere.--->
        <cfset tmp=ReReplace(session.preAuthUrl, "^.+\.mysite\.com", "")>
        <cfif session.preAuthUrl contains "login=1">
            <cfif tmp eq "">
                <cflocation url="/" addtoken="no">
            <cfelse>
                <cflog text="tmp-75: #tmp#" type="Information" file="Authentication">
                <cflocation url="#tmp#" addtoken="no">          
            </cfif>
        <cfelse>
            <!---<cfset tmp=ReReplace(session.preAuthUrl, "^.+\.mysite\.com", "")>--->
            <cflog text="final URL: #request.author_url##tmp#" type="Information" file="Authentication">
            <cflocation url="#request.author_url##tmp#" addtoken="no">          
        </cfif>
    </cfif>
</cfif>


<cflog text="http_referer: #cgi.http_referer#" type="Information" file="Authentication">

<!---go back to wherever we came from--->
<cflocation url="#cgi.http_referer#" addtoken="no">

And here's what the log shows:

========================This is the first time hitting the custom-appliction==================================
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","SERVER_NAME: devbox.mysite.com"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","PATH_INFO: "
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","PATH_TRANSLATED: \\commonspotshare.mysite.com\commonspot$\DEVSITE\dev.mysite.com\kb\article\index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","SCRIPT_NAME: /kb/article/index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","QUERY_STRING: login=1"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","REMOTE_HOST: 10.34.3.251"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","cgi.http_referer contains: https://devbox.mysite.com/search/?search=calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","scriptName: /kb/article/index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","qryString: calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:41","SITE1","After cfset session.preauthurl: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","preAuthUrl-63: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","final URL: https://devbox.mysite.com/kb/article/calendar"
----------------noticed that it never gets to the "http_referer" log at the bottom which is the correct behavior------------------------------------------
========================Now, it hits the target page of "calendar" and it launches the custom-appliction again=====================================================
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","SERVER_NAME: devbox.mysite.com"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","PATH_INFO: "
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","PATH_TRANSLATED: \\commonspotshare.mysite.com\commonspot$\DEVSITE\dev.mysite.com\kb\article\index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","SCRIPT_NAME: /kb/article/index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","QUERY_STRING: login=1"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","REMOTE_HOST: 10.34.3.251"
---------------------Noticed the line below shows the target page correctly in session.preauthurl variable------------------------------------------
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","session.preauthurl-172: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:46","SITE1","cflocation url: https://devbox.mysite.com/authenticate.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:47","SITE1","preAuthUrl-63: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:47","SITE1","final URL: https://devbox.mysite.com/kb/article/calendar"
----------------------Noticed the line above here (final URL) shows the correct target page--------------------------------------------------------
=======================But it never actually gets to the target page, it went back to the custom-appliction file again as shown below===================================
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","SERVER_NAME: devbox.mysite.com"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","PATH_INFO: "
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","PATH_TRANSLATED: \\commonspotshare.mysite.com\commonspot$\DEVSITE\dev.mysite.com\kb\article\index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","SCRIPT_NAME: /kb/article/index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","QUERY_STRING: login=1"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","REMOTE_HOST: 10.34.3.251"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","session.preauthurl-172: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","cflocation url: https://devbox.mysite.com/authenticate.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","preAuthUrl-63: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","final URL: https://devbox.mysite.com/kb/article/calendar"
=======================And again here,it launches the custom-appliction file again and go through a loop===============================================================
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","SERVER_NAME: devbox.mysite.com"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","PATH_INFO: "
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","PATH_TRANSLATED: \\commonspotshare.mysite.com\commonspot$\DEVSITE\dev.mysite.com\kb\article\index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","SCRIPT_NAME: /kb/article/index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","QUERY_STRING: login=1"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","REMOTE_HOST: 10.34.3.251"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","session.preauthurl-172: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:48","SITE1","cflocation url: https://devbox.mysite.com/authenticate.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","preAuthUrl-63: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","final URL: https://devbox.mysite.com/kb/article/calendar"
=======================And again here,it launches the custom-appliction file again and go through a loop===============================================================
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","SERVER_NAME: devbox.mysite.com"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","PATH_INFO: "
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","PATH_TRANSLATED: \\commonspotshare.mysite.com\commonspot$\DEVSITE\dev.mysite.com\kb\article\index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","SCRIPT_NAME: /kb/article/index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","QUERY_STRING: login=1"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","REMOTE_HOST: 10.34.3.251"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","session.preauthurl-172: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","cflocation url: https://devbox.mysite.com/authenticate.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","preAuthUrl-63: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:49","SITE1","final URL: https://devbox.mysite.com/kb/article/calendar"
=======================And again here,it launches the custom-appliction file again and go through a loop===============================================================
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","SERVER_NAME: devbox.mysite.com"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","PATH_INFO: "
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","PATH_TRANSLATED: \\commonspotshare.mysite.com\commonspot$\DEVSITE\dev.mysite.com\kb\article\index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","SCRIPT_NAME: /kb/article/index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","QUERY_STRING: login=1"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","REMOTE_HOST: 10.34.3.251"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","session.preauthurl-172: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","cflocation url: https://devbox.mysite.com/authenticate.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","preAuthUrl-63: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","final URL: https://devbox.mysite.com/kb/article/calendar"
=======================And again here,it launches the custom-appliction file again and go through a loop===============================================================
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","SERVER_NAME: devbox.mysite.com"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","PATH_INFO: "
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","PATH_TRANSLATED: \\commonspotshare.mysite.com\commonspot$\DEVSITE\dev.mysite.com\kb\article\index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","SCRIPT_NAME: /kb/article/index.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","QUERY_STRING: login=1"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","REMOTE_HOST: 10.34.3.251"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","session.preauthurl-172: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:50","SITE1","cflocation url: https://devbox.mysite.com/authenticate.cfm"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:51","SITE1","preAuthUrl-63: https://devbox.mysite.com/kb/article/calendar"
"Information","ajp-bio-8013-exec-7","02/25/16","12:17:51","SITE1","final URL: https://devbox.mysite.com/kb/article/calendar"
=========================And it finally quits in Firefox but in IE it keeps going forever====================================================================
Solution

  • Thank you for all the responses and support. I finally figured it out. The reason why it was going in loop was because the way I test if the user is authenticated or not is wrong. Since we're using CommonSpot CMS, I tried to use their API for checking the .isLoggedIn is wrong. I finally had to set the session.mySiteShibboleth.isAuthenticated variable and just check that variable in my details page. If it's not true or not set then redirect the user to the authentication page. This seems to work.

    <cfif IsDefined("session.mysiteShibboleth.isAuthenticated") >
    <cfoutput>
        mysiteShibboleth exists.
    </cfoutput>
<cfelse>
    <cflocation url="#request.author_url##cgi.script_name#?login=1" addtoken="no" > 
</cfif>