I have an application that has security setup and tracked via session
variables. The cfapplication tag has the setClientCookies attribute set to
true, and the sessionTimeout attribute has a createTimeSpan value of
0,0,15,0 which I thought was 15 minutes (I am questioning most everything I
knew now). At the beginning of each secure page, there is an isDefined
check to see if a session structure userAuth exists. If so, then further
checks are done to check for valid permissions - if not, the user is sent to
the login screen.
When I first load the application, I get sent to the login screen as
expected. However, if I leave my browser window open with no activity for
30 minutes, I find I can still navigate the secure pages without having to
log in again. What is even weirder is that I can close all of my browser
windows, load a new browser window and go directly to a secure url in the
site without having to log in again.
I am beginning to question everything I knew about session variables, but I
thought they were supposed to time out and die automatically based upon the
sessionTimeout attribute of the cfapplication tag and they always died
immediately upon closing the browser.
My session variables won't die!
Thanks for any pointers.
-- Jeff
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
