Just to combine my last post and Dave's -
Dave is right - you need to set the cookie with no expire time. The only
problem is that if you switch on Clientmanagement and leave the rest to CF
it writes the cookies CFID and CFTOKEN to the users browser with an expiry
time equal to that of the CF Server setting or that in your application cfm.
However if you overwrite this with the code I posted it sets 2 custom
cookies of the same names with no expiry specified - this way the cookies
get killed when the browser is closed.
A
-----Original Message-----
From: Dave Hannum [mailto:[EMAIL PROTECTED]]
Sent: 01 June 2001 16:25
To: CF-Talk
Subject: Re: session and client variables
If you set the cookie with no expire time, the cookie is destroyed when the
browser closes, in both IE and NN. Now, the security for the app should be
that both session on server and cookie on client must be present for there
to be a logged in condition. If either is missing, a login must occur. As
for walking away from a terminal in an internet cafe, leaving it up and not
logging out, you cannot control that. If it's within the timeout of the
session/client vars, then shame on the user. You cannot write a web
application that will protect folks from their own ignorance. That's no
different that someone walking away from a dumb terminal leaving an
application up and running.
Dave
----- Original Message -----
From: "Paul Johnston" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, June 01, 2001 11:01 AM
Subject: session and client variables
Anyone,
I have come up with a slight issue in the past, and it is this:
If you are using client variables for a secure section of a website and they
have a timeout (say 10 minutes). The users closes the browser thinking that
they have logged out (when they haven't) and the cookies (let's assume
cookies here) get destroyed by an onunload="" event. The logout script
destroys the cookies when the user leaves the secure section, so we don't
worry about that.
Bearing in mind that an onunload event doesn't work consistently in all
browsers (it's a known bug in Netscape) does anyone have a solution (barring
recoding of the site to use the urltoken), for destroying the cookies in the
users browser that works cross-browser (ie Netscape 4+, IE 4+ and Netscape
6)?
The problem is that it is entirely possible (and sensible) that the cookie
should stay on the user machine if they come back to the site so that they
are logged in (assuming the ten minutes isn't up), but what if they are in
an internet cafe and the ten minutes aren't up?
(Let's assume we're using a clustered server here so session variables
become virtually pointless... or do they?)
Any replies welcome (ie sensible ones).
Paul
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
