If you set the cookie with no expire time, the cookie is destroyed when the
browser closes, in both IE and NN. Now, the security for the app should be
that both session on server and cookie on client must be present for there
to be a logged in condition. If either is missing, a login must occur. As
for walking away from a terminal in an internet cafe, leaving it up and not
logging out, you cannot control that. If it's within the timeout of the
session/client vars, then shame on the user. You cannot write a web
application that will protect folks from their own ignorance. That's no
different that someone walking away from a dumb terminal leaving an
application up and running.
Dave
----- Original Message -----
From: "Paul Johnston" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, June 01, 2001 11:01 AM
Subject: session and client variables
Anyone,
I have come up with a slight issue in the past, and it is this:
If you are using client variables for a secure section of a website and they
have a timeout (say 10 minutes). The users closes the browser thinking that
they have logged out (when they haven't) and the cookies (let's assume
cookies here) get destroyed by an onunload="" event. The logout script
destroys the cookies when the user leaves the secure section, so we don't
worry about that.
Bearing in mind that an onunload event doesn't work consistently in all
browsers (it's a known bug in Netscape) does anyone have a solution (barring
recoding of the site to use the urltoken), for destroying the cookies in the
users browser that works cross-browser (ie Netscape 4+, IE 4+ and Netscape
6)?
The problem is that it is entirely possible (and sensible) that the cookie
should stay on the user machine if they come back to the site so that they
are logged in (assuming the ten minutes isn't up), but what if they are in
an internet cafe and the ten minutes aren't up?
(Let's assume we're using a clustered server here so session variables
become virtually pointless... or do they?)
Any replies welcome (ie sensible ones).
Paul
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
