November 14th, 2014, 12:08 PM
500 Error "flashes" for a split second when logging in/out of CF8 web app
I've got a company president breathing down my neck trying to get me to figure out a way to resolve this issue. First, some quick background: I have IIS 7 on WS2K8 as my webserver, ColdFusion 8 (incl. the patch to prevent CFIDE/Admin Hash-exposure (not sure what it's called?) hack, SQL Server 05 w/ all security patches in place and up-to-date, and the setup hasn't changed in over a year. Our network is protected by a SonicWall hardware-firewall (80 and 443 are open, naturally, as well as a few other necessary ports, most are closed) and for connection we have a dedicated T-1 line (old but still very reliable, and sufficient as we only have @ 25 concurrent users at most). SSL is in place w/ a 2048-bit encrypted private key, maintained by DigiCert. At /wwwroot/, there is a "Hub" page written solely in HTML, from which the EU follows 1 of 3 links to our Registration, Reports, or Forms folders. The "Reports" section, which is a CF app, is in a 1-level-down subfolder to wwwroot, i.e. /wwwroot/tpa/<"Reports" files are here>, "Registration" is 2 levels down from webroot, also a CF app, and the same for "Forms" (wwwroot/tpa/reg/<"Reg." files> AND wwwroot/tpa/forms/<"Forms" files>, respectively). All three subfolders have their own Application.cfm page (w/ the A capitalized, per Adobe protocol). I have a session variable (session.allowin) that acts as a 'flag' to allow/disallow entry beyond the "Hub" page. If the username and password an EU enters matches a database entry, then this session var. is set to true and access is granted to the EU, otherwise it defaults to false and entry is denied.
The problem is, when the EU click one of the links on the Hub page, the little spinning green wheel on the browser's tab pops up momentarily (a la a refresh, for example) and on the browser page, the Server Error: 500-Internal Server Error resource you were looking for, etc. etc. is seen. This only lasts for maybe a 1/4 second, followed immediately by the login page. Once proper creds are entered, the screen then goes white for a split second, followed by loading the tpa/index|/reg/index|/forms/index page, and from there, all is well until the user logs out. There is a "Logout" button in the navbar on every CF page, and when clicked, sends the user to a page that clears all session vars, including "session.allowin" and cflocates them back to the login page. This mysterious 500 error ALSO shows up when the EU clicks the "Logout" button. Again, it's only a quarter-second or so, followed by the (proper) login page.
I would blame the 2048 bit key, but other coldfusion 8 applications are in place on the same server, same wwwroot folder, w/ a very similar if not identical setup (i.e. Hub page in HTML, w/ links to subordinate folders that carry different functions, each CF-app subfolder headed by "Application.cfm") and the problem does not present itself in those other apps, only the TPA application. FWIW, I use CSS to change the background color, font, and some aspects of the layout in the TPA app. The other CF8 apps (that don't exhibit the error) were coded before I started at my current place of work, and have virtually no stylization, e.g. black text and white backgrounds, default fonts and HTML elements, etc.
I can't blame it on using a CFM over a component page (.CFC), because the old apps do not use .CFC either. If it is not from using CSS, then I'm at an impasse. Perhaps one of you could shed some light on why this might be happening? The error is not deleterious to the web application/databases, it's just that with my company bringing in clients outside our company to use these apps, I don't want them to see any error screens if I can help it, and this one will be seen every time they log in/out. If there is a way to replace the 500 error page with a blank, white page, that would be great, as it only flashes for a split second anyway. Thank you in advance, devshed, for your insight and help. Looking forward to your replies to this perplexing problem.
PS: this is across all major browsers
PPS: here is the (very simple) Application.cfm code:
<CFPARAM NAME="session.allowin" DEFAULT="false" />
<CFPARAM NAME="session.user_id" DEFAULT="0" />
<cfif session.allowin neq "true">
<cfif ListLast(CGI.SCRIPT_NAME, "/") EQ "login.cfm">
<cfelseif ListLast(CGI.SCRIPT_NAME, "/") EQ "login_process.cfm">
November 17th, 2014, 01:37 AM
Comments on this post
November 17th, 2014, 10:26 AM
With time being of the essence, I am putting a band-aid on it for now...I looked at dev tools in FF and saw that somehow, despite my never calling 'index.cfm' in the entire login/logout process (except for the last step of a successful login), it's being loaded briefly before the (proper) page, login.cfm is loaded. Simply wrapping the CFM page (index.cfm) in its entirety with a <cfif isdefined('session.xyzvar')> [code] <cfelse><cflocation url="login.cfm" addtoken="no"> </cfif> is the "band-aid." If time allows in my hectic schedule I'll try taking a look at the logs and see if I can tweak the settings a bit and thusly put a long-term fix in place. Thank you for your suggestions, Kiteless!
Originally Posted by kiteless
Back to the grind for me.
November 17th, 2014, 10:29 AM
PS: I've also replaced the JS redirect w/ <cflocation>, good catch.