> closed and even so, they should not be transerable to a new
> browser, which would appear to be what they are doing.
By default, sessions are not closed when you close the browser. The cookies
that tie the session to the browser are persistent cookies. In addition, if
you use URL parameters to tie the session to the browser, and you copy those
URL parameters from one browser to another, the second browser will be
associated with the session data as well.
If you want to make cookie-based sessions close when the browser is closed,
you'll need to write non-persistent cookies to the browser:
<cfapplication ... setclientcookies="no">
<cfif not IsDefined("Cookie.CFID")>
<cflock scope="Session" type="readonly" timeout="5">
<cfcookie name="CFID" value="#Session.CFID#">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#">
</cflock>
</cfif>
You can dispense with the lock if you're using CFMX. If you omit the TIMEOUT
attribute of CFCOOKIE, the cookies will be destroyed when the browser is
closed.
Or, if you're using CFMX, you can enable J2EE sessions, which will use a
single non-persistent cookie called "JSESSIONID" instead of CFID and
CFTOKEN.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
