[Looking for Charlie's main web site?]

Have you noticed the ColdFusion 10 admin allows only one login at a time? It's by design

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Someone raised a question on one of the Adobe forums saying that they kept getting kicked out of (logged off) the CF Admin in CF10.

Ultimately, he realized it was that when one of his colleagues logged into CF 10 Admin, he got logged out, and vice-versa. Certainly frustrating.

And yes, it's by design in CF10, as part of various security enhancements. The issue is that only one person can be logged in to a given account name in the CF Admin (by default, it's "admin"). There is a solution: create new logins for each person needing to access the Admin. I discuss this and much more below.

Update 1: Since I wrote this entry back in June '12, I did a video for Adobe about a year later where I walk through this in several minutes. You may want to check that out.

Update 2: Great news for those using CF11: CF11 addresses this problem with a new feature in the CF Admin. You may want to read ahead to understand the problem to appreciate the point of this solution. Anyway, see the Security > Administrator page and its option, "Allow Concurrent Login Sessions for Administrator Console". The docs say that it will be disabled by default, allowing multipel logings, unless you choose the "securee profile" option during installation or via the admin (the ability to change that in the Admin is another new feature of CF11), in which case concurrent access by a given account it will be disabled.

Where's is this change in CF10 documented?

It is documented, in a couple of places.

For instance, you can find it discussed in Security improvements in ColdFusion 10, by Adobe engineer Shilpi Khariwal (who is also the "security czar for the CF team").

Her article notes with respect to changes about CFLOGIN, which the CF Admin uses under the covers:

Now you can have only one active session open for one user for a given application that uses the cflogin tag.

For example, you can now access the Administrator console one user at a time with a given set of UserIDs and passwords.

Now, you may think, "but that doesn't explain why another user and I can't use the CF Admin at the same time", but actually it does. Note that the login is not "per user" but "per account" using the CFLOGIN. And by default, there is one account used for logging into the CF Admin, called the Admin user. We normally don't even notice or use that, and only need to enter the password for that account.

So it's saying that "2 users of the same account can't be logged into the CF Admin at one time." I agree it's an annoyance, but I'm sure there's a worthy security problem for which it was the solution. Maybe someone from Adobe will chime in with more thoughts.

There's also a discussion related to "logins to the CF Admin" in the CF10 docs, in the "Developing Coldfusion 10 Applications" manual, though it's not worded as applying so obviously to this specific situation above. At the bottom of this page on Miscellaneous CF10 changes, it says:

You are logged out from one of the ColdFusion administrators, if:

From the same host, you log in to the ColdFusion (10) Administrator and the ColdFusion Administrator of an older version.

The solution

As I noted above, you can solve this problem by defining a new username for each person accessing the CF admin.

Many never noticed but CF8 added the ability (Security>User Manager) where you could define additional username/password combinations in the CF Admin (including limiting what parts they can access, including the Server monitor) and also for controlling RDS access.

I did a fairly extensive article on how to use this multiple CF Admin login feature, from 2009 in the Adobe Dev Center. At the time I wrote that (CF8 timeframe), the ability to add admin users was limited to CF Enterprise, but in CF 9 that was lifted and available also in Standard.

Hope that's helpful.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
We had fun with this exact same issue yesterday, New shiny CF10 VM and 3 devs jumping in as admin trying to play with settings resulting in a game of session tennis.

Our first assumption was that it was multiple IP restrictions.

Very frustrating, but its quickly teaching us to be more patient.
# Posted By patrick Spenceley | 6/14/12 4:30 AM
Thanks Charlie,

One other reason the individual logins are probably a good idea is the new audit log in the Administrator. With individual logins you will actually be able to see who did what rather than just seeign a generic "admin" user.

Thanks again for your help.
Meint
# Posted By Meint | 6/14/12 5:43 AM
Glad to have helped, guys. And great point, Meint. Thanks
This "security" feature wont even allow me to add new users. It keeps asking me to login but when i try to add a new user, it just keeps asking me to login. Any suggestions as to how to get around this?
# Posted By Dawayne Pretlor | 6/25/12 5:53 PM
@Dawayne, I'm not aware of that problem. It could be that few yet have tried that, or it could be a unique combination of things on your end. Either way, I'd think it's a bug that you ought to report to Adobe at https://bugbase.adob... Hope that helps.
This is also happening for me on any POST/submit in CF10's CFIDE, but only in Chrome. Safari and FF both work. Oddly, Chrome works fine submitting forms on another CF10's CFIDE. Totally annoying.
# Posted By caker | 6/27/12 3:33 PM
I'm also having the same problem with constantly getting kicked into the login screen. We only have one user in there at a time so I don't understand it. Like Dawayne mentions in his comment above, I keep on getting kicked to the login when I try to add a new user.

We just got a new CF 10 VPS and the fact that we can't do anything in the cfadmin is limiting how much we can set things up. Their support staff doesn't know what's going on.

Has anyone found a solution to this?

Thanks
# Posted By Jeff | 8/15/12 5:17 PM
We're having the same problem with being kicked out of CF Admin on a ColdFusion WIndows 8/IIS7 VPS @ Hostek.com.

Whether on the local VPS or accessing via public IP, we get kicked out of the CF admin in less than a minute, sometimes quicker. There is only one user account and we are NOT using simultaneous logins.

Anyone see a tech note on this or have any possible causes/solutions?

We're on CF 10 Enterprise with the latest hotfix applied.

Thanks!
# Posted By Alex Sherwood | 9/28/12 11:09 PM
Sami Hoda offers some more thoughts on the matter (of CF10's change in not allowing two users to access the same app if it uses CFLOGIN), and its implications beyond just the CF Admin, which I'd not thought to raise. See http://bytestopshere...
@Jeff Please reach out to the support team at https://support.host... if you have not already had us fix the issue. This was an old issue that we are aware of and have a solution for now.

We'll need to set up an alternate CF Admin (as Charlie mentioned) for our control panel to use so you don't get kicked out.
# Posted By Jake H. | 4/21/13 11:47 PM
This continual re-authentication also happens if you have multiple instances of CF, and have two or more CF Admins open (one for each instance). I assume this is related?

It is quite bothersome...
# Posted By Rick | 1/17/14 12:50 PM
@Rick, right. I realized that subsequently but didn't go back to update the entry to reflect that. It is indeed frustrating.

It may really be worth it in this case to create new user (in the CF Admin) on each instance, whose name is unique to the instance (even if just admin1, admin2, etc.). That way you could then login to more than one of them at once.

Let me know if that helps.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting