Good question. I am also interested in this response, but with an added
element. What if a user closes the browser, how do you kill client/session
variables, presumably someone could close the browser thinking they are
"logged out", the next person wanders up and sees the first persons
information.
CC
Brian Fox
<brianfox To: CF-Talk <[EMAIL PROTECTED]>
@sdccd.cc.ca. cc:
us> Subject: Auto logout when leaving the
application
04/03/02
10:30 AM
Please
respond to
cf-talk
What's the best way of handling security for a website that may be used in
a
kiosk mode? I'm working on a student grade system that does a one time
validation and sets a session variable. Timeout is 15 minutes.
John may log into the system using a lab computer to retrieve his student
grades, become confused, wander to yahoo, read his mail, then leave the
computer as is. Sue may come in to use the same machine, go to the grade
application to get her grades, and still be logged in as John. Is there a
good way to avoid this?
I'm thinking about mangling the referer variable and zapping the session
variables if the referer is not from the application.
i.e. <cfif left(CGI.HTTP_REFERER,X) is not "http://www.gradesrus.com/"; ...
session.auth=0>
That would solve the 'lost' client wandering out of the site. Leaving the
site is equivalent to logging out then (more or less).
What about a javascript warning when a person is going to leave the
application? I'm not a javascript guru, but it seems like an onunload in
the body should be able to give a popup alert and hopefully the ability to
cancel the outside navigation. Anyone ever try it?
Is there a better approach to this?
Thanks!
Brian
______________________________________________________________________
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
