You don't have to delete the cookies, just reset them! <cfcookie name="cfid" value="#cookie.cfid#"> <cfcookie name="cftoken" value="#cookie.cftoken#">
notice the lack of the expires tag. this should remove the dates from the cookies, which will cause the to expire when the browser is closed. At 04:21 PM 3/20/2002 -0500, you wrote: >I prefer them too and we are using them in a database. The problem is, some >dude with level 4 access closes the browser without logging off. Someone >comes along within the 1 hour timeout limit and opens the browser and >suddenly has access to level 4 commands, because they hijacked the identity >of the other guy. Now, when the browser closes, I can delete the cookies, >but that would ruin the session for the other browsers that are open in the >site .. this is a bad thing. > >Any idea how I can kill Client variable session when closing a browser >without killing all sessions for all browsers? > >Todd Ashworth >Macromedia Certified Professional >Web Application Developer > >SCD, Inc. >Oak Hill Business Park Suite H >8848 Red Oak Blvd. >Charlotte, NC 28217 >704-523-0905 [178] (Voice) >www.scdinc.com > >----- Original Message ----- >From: "Nick McClure" <[EMAIL PROTECTED]> >To: "CF-Community" <[EMAIL PROTECTED]> >Sent: Wednesday, March 20, 2002 3:27 PM >Subject: Re: Using Client Variables for security > > > > I like client variables, in fact I prefer them, how ever I use a Database > > to store the vars in and not cookies. > > > > If you do it that way then the only difference between client and session > > is if they are stored in Web Server ram or the Database. The normal >cookies > > will always be there no matter which side you use. > > > > At 03:23 PM 3/20/2002 -0500, you wrote: > > >Does anyone know of any good tutorials/articles about locking down a site > > >that uses Client variables for security? My boss seems to think Session > > >variables are the way to go and wants to go through the headache of > > >converting all of the Client Variables in our rather large intranet to > > >session variables. Obviously, I don't want to do this because I just >know > > >about 30 things are going to break. I'm of the opinion that there it >mostly > > >doesn't matter which I use as long as everything is done right. > > > > > >One of the main concerns he has is what if someone closes the browser > > >without logging off. I gave him a way that could be taken care of. He > > >asked, won't that kill their session on all of the browsers they have >open > > >on our site? I said, yep. He said, I don't want that. Anyone have any > > >ideas for me? > > > > > >Todd > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
