after the cfapplication tag?
Do you have any other cfapplication tags with the same name? (change the
name maybe)
Is there some code in there that makes requests without you seeing it?
...
Pascal
> -----Original Message-----
> From: Jeff Chastain [mailto:[EMAIL PROTECTED]
> Sent: maandag 31 mei 2004 16:08
> To: CF-Talk
> Subject: RE: Application Security Confusion
>
> Okay, Hal's tutorial fixed the browser close issue.
>
> However, I still cannot get the session variables to timeout when the
> browser is still open. I even set the seesionTimeout attribute to 15
> seconds and I can still navigate the application all day long
> without being required to re-login.
>
> Any thoughts on what might cause this?
>
> Thanks
> -- Jeff
>
> _____
>
> From: Pascal Peters [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 31, 2004 3:52 AM
> To: CF-Talk
> Subject: RE: Application Security Confusion
>
>
> Jeff,
>
> They have to die at sessiontimeout, but NOT when you close
> your browser
> (if you are using CF sessions on CFMX or a lower version). If you use
> J2EE sessions in CFMX, the session will end if you close all browser
> windows.
>
> Without seeing code, I can't imagine why the session would
> persist after
> the specified timeout. You could try and debug by doing a <cfdump
> var="#session#"> right after the cfapplication tag. This way
> you can see
> if the session really exists, or if your code recreates it or
> something
> of the kind.
>
> Pascal
>
> > -----Original Message-----
> > From: Jeff Chastain [mailto:[EMAIL PROTECTED]
> > Sent: maandag 31 mei 2004 2:11
> > To: CF-Talk
> > Subject: Application Security Confusion
> >
> > Ok, I must really be missing something obvious, because this
> > makes no sense.
> >
> > I have an application that has security setup and tracked
> via session
> > variables. The cfapplication tag has the setClientCookies
> > attribute set to
> > true, and the sessionTimeout attribute has a createTimeSpan
> > value of 0,0,15,0 which I thought was 15 minutes (I am
> > questioning most everything I
> > knew now). At the beginning of each secure page, there is
> > an isDefined
> > check to see if a session structure userAuth exists. If so,
> > then further checks are done to check for valid permissions -
> > if not, the user is sent to the login screen.
> >
> > When I first load the application, I get sent to the login screen as
> > expected. However, if I leave my browser window open with
> > no activity for
> > 30 minutes, I find I can still navigate the secure pages
> > without having to
> > log in again. What is even weirder is that I can close all
> > of my browser
> > windows, load a new browser window and go directly to a
> > secure url in the site without having to log in again.
> >
> > I am beginning to question everything I knew about session
> > variables, but I thought they were supposed to time out and
> > die automatically based upon the sessionTimeout attribute of
> > the cfapplication tag and they always died immediately upon
> > closing the browser.
> >
> > My session variables won't die!
> >
> > Thanks for any pointers.
> > -- Jeff
> >
> >
> >
> >
> _____
>
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
