[Coldbox 5.3.x] cbauth module - isloggedIn()

I am using the cbauth module in conjunction with cbstorages to authenticate and login a user to my application. I came across an issue with the auth().isLoggedIn() helper that I cannot explain.
The login process is held in a handler called “sessions”, I also store other objects in the sessionStorage that contain further attributes needed during that session.

For debugging purpose, I tracked the value of isLoggedIn() while using the application. What I noticed is that isLoggedIn() sets itself to false after a while despite the fact that:

1 - I did not log out, meaning the session was not destroyed
2 - sessionStorage objects (sessionUserbean, structUItheme) are still accessible, meaning the session is still alive

How could we explain this inconsistency? By definition: IsLoggedIn() returns a boolean sessionStorage.exists( USER_ID_KEY). If isUserLoggedIn() is false, it implies that USER_ID_KEY is no longer in sessionStorage. Then should I assume that my session is in fact, still alive since I have other objects accessible from sessionStorage?

The login/logout code is as follows:

// new / login form page

function new( event, rc, prc ) {

// Set the user login form layout

event.setLayout(“FoundationMini”);

return event.setView( “sessions/new” );

}

// create session (login)function create( event, rc, prc ) {

try {

auth.authenticate( rc.userLogin, rc.userPassword );

// Get the ID of the user authenticated for the current session
var sessionUserID = auth.getUserId();

// Retrieve the session user’s details and preferences
var sessionUserbean = userSVC.read(sessionUserID);

// Retrieve the user’s session UI theme parameters
var structUItheme = structNew();
structUItheme = buildViews.getUItheme(sessionUserbean.getUserUItheme());

// Load parameters to the session storage
sessionStorage.setVar(“sessionUserbean”,#sessionUserbean#);
sessionStorage.setVar(“structUItheme”,#structUItheme#);

// And relocate to the appropriate landing page upon login.

return relocate( event=“loggedin” );

} catch ( InvalidCredentials e ) {

messagebox.setMessage( type = “warn”, message = e.message );
return relocate( uri = “/login” );

}
}

// delete session (logout)

function delete( event, rc, prc ) {

auth.logout();

// Clear the entire Coldbox session storage

sessionStorage.clearAll();

return relocate( uri = “/” );

}

I’m not an expert in cbauth (yet) but I saw you haven’t received a reply to your message so I figured I would chime in with my 2 cents:

Your auth.authenticate( rc.userLogin, rc.userPassword ); code in your handler should be all you need to authenticate.

In your ColdBox config file, you had to specify a userServiceClass for cbauth with a few key methods in it to handle the authentication for you. This is an example of what mine looks like:

moduleSettings = {
   cbauth = {
      userServiceClass = "userService"
   }
};

Then, in your “userService” you need to have two methods: isValidCredentials( emailAddress, password ) and retrieveUserById( id )

The first method, isValidCredentials() should return whether the email/password combo is valid (boolean value).
The second method, retrieveUserById() should return a user entity (or bean) which cbauth will automatically store for you.

If you’re still having problems, can you please post the relevant methods in your userService?

1 Like

Hi David,

Thanks for your reply. The authentication process works fine and was implemented exactly as you suggested.I can login and logout without problems and the application behaves apparently as expected. The only thing that I cannot explain is why the auth().isLoggedIn() helper sets itself to false after some time (approximately 2 minutes) , while I am still logged in and my session is still alive. It does not do any harm to my application, although it logically should. This is what I am trying to understand.

Best regards

Philippe

By default this library uses the `CacheStorage@cbstorages` to store session information. This allows for easier distributed sessions in a store like CouchBase without having to worry about Lucee or ACF session providers. The default cache is tied to the framework, though, so any framework reinit will wipe out the cache even if your sessions would still be active.

Hope that helps.

Cheers,
Eric

Thank you Eric.