Here are some suggestions.
First you want to use "Session" Cookies. They reside in memory and are
deleted when all instances of a browser are closed.
Here is how I do it in Application.cfm (fbx_Settings.cfm for Fusebox users):
<cfapplication NAME="AppName" CLIENTMANAGEMENT="Yes" SESSIONMANAGEMENT="Yes"
SETCLIENTCOOKIES="NO">
<cfif NOT IsDefined("cookie.cfid")>
<cfcookie name="CFID" value="#client.CFID#">
<cfcookie name="CFTOKEN" value="#client.CFTOKEN#">
</cfif>
Also, I typically check to see if a session variable exists to make sure a
session times out (you can include this at the top of each template, in
Fusebox I include it in fbx_Switch before any of the cases are checked):
<cflock TIMEOUT="30" THROWONTIMEOUT="No" SCOPE="Session" TYPE="exclusive">
<cfset sessionActive=IsDefined("session.someVariable")>
</cflock>
<cfif NOT variables.sessionactive>
<cflocation url="index.cfm?fuseaction=login.timeout">
</cfif>
When a user logs out, you can just use the StructClear() function to remove
all the session variables for a user.
<cfset StructClear(session)>
That should do it for you.
Regards,
Derrick Rapley
-----Original Message-----
From: Mike Kear [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 20, 2002 10:55 AM
To: CF-Talk
Subject: RE: Killing Client vars session on closing browser.
Well I can hardly expect all my users (specially potentially malicious ones)
to be deleting anything from their harddrive. I'm trying to write a
password access system here. The thing has to be designed to work under
normal conditions, not exceptional ones.
Once I'm logged out I want to be OUT. That means when users click on the
"logout" button, Time out through inactivity, or close their browser.
All 3 of those events should make sure I can't get back to the secure areas
without providing a valid username/password combination.
But as Kym said, the CFID/CFTOKEN combination could well be the same when
it's issued a second time to the same person/ip address. Just unique at
any one moment.
Cheers,
Mike Kear
Windsor, NSW, Australia
AFP WebWorks
-----Original Message-----
From: Chris Norloff [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 20, 2002 11:55 PM
To: CF-Talk; [EMAIL PROTECTED]
Subject: RE: Killing Client vars session on closing browser.
Have you deleted all cookies on your harddrive from that server? I thought
I had and some were left over from some other implementation. The CFserver
was still using the CFID/CFTOKEN from the stored cookies I didn't know I
had.
Chris Norloff
---------- Original Message ----------------------------------
from: "Mike Kear" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
date: Thu, 20 Jun 2002 12:11:38 +1000
>Ok, here's another part of the mystery .... how could this be?
>
>I closed all copies of all browsers. I used SQL Query Analyser to go to
the
>CDATA table and delete the records relating to my client session. Then I
>opened my browser and went to the protected page. As expected I was sent
to
>the login page. So far so good.
>
>But when I completed logging in, the CFID and CFTOKEN were the same as the
>one I had just deleted!! I didn't believe what I was seeing, so I did it
>again a couple more times. Same result. I thought the CFIDs and
CFTOKENS
>were supposed to be unique and never reused.
>
>What gives? How can I log in fresh and get the same CFID and CFTOKEN as I
>had before?
>
>(If it's relevant, we're using CF5 and my browsers are IE6.0.26, and
NN4.75,
>and NN6.2.2)
>
>
>Cheers,
>Mike Kear
>Windsor, NSW, Australia
>AFP WebWorks
>
>-----Original Message-----
>From: Matthew Friedman [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, June 20, 2002 11:22 AM
>To: CF-Talk
>Subject: RE: Killing Client vars session on closing browser.
>
>Mike here is a thought and this works for a project that I did.
>
>Open you site in a framed environment
>Frame one is 100% and this is where your application runs
>
>Have a hidden frame that is a simple html page with an onclose() function
to
>call a page logout.cfm
>
>In logout run a query to delete your client variables from the database
that
>you have designated
>
><CFQUERY NAME="remove_client_session" DATASOURCE="session_varibles">
>delete
>from dbo.CDATA
>where cfid = '#cookie.cfid#:#cookie.cftoken#'
>and app = '<cfapplication name=''>' - this is the name from the
>cfapplication page that you are using for the client vars.
></CFQUERY>
>
>then close the browser page with a JavaScript.
>
>This will guarantee that you have deleted the client vars from the time the
>user logs off.
>
>You will need to take this Idea on step furture to make sure that the user
>does not open the page outside of the framed enivorment and that can be
done
>with some simple javascripting.
>
>Matt Friedman
>
>
>-----Original Message-----
>From: Mike Kear [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, June 19, 2002 8:40 PM
>To: CF-Talk
>Subject: RE: Killing Client vars session on closing browser.
>
>
>Yes, thanks Rob. That was my understanding of it too. And I had already
>used that code to convert CFID and CFTOKEN to memory cookies. But now, 8
>hours after I closed my browser, I just came back on line, opened my
browser
>again, and I was still logged in with the same CFID and CFTOKEN. So the
>client vars didn't time out, and they didn't disappear when not only did I
>close down my browser but I closed down my whole system for the night.
>
>That's why I asked the question. I didn't want to go over old ground, but
>half a dozen people have told me exactly the same thing - use that snippet
>to convert the cookies to in-memory cookies. BUT IT DOESN'T WORK FOR MY
>CASE. That's the problem. I don't know why. If you look at my original
>question ( re-posted below) you'll see that's what I originally said.
>
>Does that only apply to session variables? Because I'm using CLIENT Vars
>(it's a long story, just take it from me that client vars is the way we
>have to go) Or have I missed something?
>
>
>
>-----Original Message-----
>From: Rob Baxter [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, June 20, 2002 4:04 AM
>To: CF-Talk
>Subject: RE: Killing Client vars session on closing browser.
>
>Correct me if I'm wrong, but I believe that eliminating a user's session id
>(aka CFID and CFTOKEN) will have the effect of orphaning their Client data.
>In other words, if you make sure that no users have persistant session
>cookies, when they close the browser, they will lose their CFID and CFTOKEN
>values which are used to hash their Client variables. If they return to
your
>site in a new browser instance, they should be issued a new CFID and
CFTOKEN
>pair, which effectively gives them a whole new Client variable space. Of
>course you should probably have your Client variables expire fairly
>frequently in this scenario.
>
>I believe some has already posted the code you can put in Application.cfm
>which will convert your CFID and CFTOKEN cookies from persistant cookies to
>in-memory cookies.
>
></rob>
>
>-----Original Message-----
>Here's what I originally asked:
>At 07:51 AM 6/19/02, you wrote:
>>I'm maintaining state using CLIENT vars, and I want to have the session
die
>>when the user closes his browser.
>>
>>I know how to kill SESSION vars by setting the CFID and CFTOKEN cookies to
>>expire, but that doesn't apply to client vars does it? In any case,
when
>>I close my browser and open it again, the CFID and CFTOKEN is still alive.
>>I'm still logged in and when I display the CFID and CFTOKEN on the page,
>>they're the same. (Yes, I have refreshed the browser)
>>
>>Here's my <CFAPPLICATION tag:
>>
>><cfapplication
>> name="appname"
>> clientmanagement="Yes"
>> clientstorage="datasource"
>> setdomaincookies="Yes"
>> APPLICATIONTIMEOUT="#CreateTimeSpan(0,0,45,0)#">
>>
>>
>>And here's the following few lines in the application.cfm which set the
>>cookies:
>>
>><cfif IsDefined( "Cookie.CFID" ) AND IsDefined( "Cookie.CFTOKEN" )>
>> <cfset localCFID = Cookie.CFID>
>> <cfset localCFTOKEN = Cookie.CFTOKEN>
>> <cfcookie name="CFID" value="#localCFID#">
>> <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
>></cfif>
>>
>>
>What am I missing?
>
>
>Cheers,
>Mike Kear
>Windsor, NSW, Australia
>AFP WebWorks
>
>
>
>
>
>
>
>
______________________________________________________________________
Signup for the Fusion Authority news alert and keep up with the latest news in
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
