> I'm writing an app that uses the CLIENT scope for state
> management. When somebody logs in, there are some "client"
> variables that are set like CLIENT.firstName and CLIENT.lastName.
>
> The problem is that even if the end user quits the browser
> after being logged in and comes back to the site 10 minutes
> later, the user is still logged in from before. I realize
> that you can set a timeout on client variables, but that
> is stupid. The CFTOKEN and CFID need to go away when the
> browser closes - just it it does on any other website I
> can think of.
The Client scope isn't really intended to behave the same way as the Session
scope - it's intended more for long-term user data storage, rather than
storing data during an individual visit.
> How can I tell CF to set the CFID and CFTOKEN cookies as
> 'session' cookies, meaning that they are gone when the
> browser instance quits? It doesn't make any since for
> people to still be logged in after they quit the browser
> and it poses a mild security risk for what I'm trying to
> do. I can think of some annoying work arounds but I can't
> think of any elegant solutions for this problem.
You can set the cookies yourself in Application.cfm:
<cfapplication ... clientmanagement="yes" setclientcookies="no">
<cfif not IsDefined("Cookie.CFID")>
<cfcookie name="CFID" value="#Client.CFID#">
<cfcookie name="CFTOKEN" value="#Client.CFTOKEN#">
</cfif>
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Signup for the Fusion Authority news alert and keep up with the latest news in
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
