>
> <cfset session.user_id = someVALUE>
>
> What's the "best practice" way for killing this when the user
> closes his browser or leaves the secured area?
You can disconnect a user's session data from that user's browser by making
the session identification cookies into session cookies. Session cookies are
destroyed when the browser is closed. If you enable J2EE Sessions within the
CF Administrator, this will be the default behavior. If you're using CFID
and CFTOKEN cookies, you'll have to do this yourself:
<cfapplication setclientcookies="no" ...>
<cfif not IsDefined("Cookie.CFID")>
<cfcookie name="CFID" value="#Session.CFID#">
<cfcookie name="CFTOKEN" value="#Session.CFTOKEN#">
</cfif>
The preceding code would go into Application.cfm. The omission of an EXPIRES
attribute in the CFCOOKIE tag makes the cookie last only until the browser
is closed. It's also worth noting that this doesn't actually delete the
session variables, it just breaks the connection between them and the user
to whom they belonged.
As for killing session variables when a user goes to a page outside the
site, that would be a little harder. I'm not sure why you'd want to do that
anyway.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
