Hmm, that is strange. Couple of questions... How are you determining that a user needs to be redirected to the login page?
Are you using cflocation anywhere which might be preventing the cookie overwrite from happening correctly? Are you using UUIDs for cftokens? </rob> -----Original Message----- From: Mike Kear [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 19, 2002 10:12 PM To: CF-Talk Subject: RE: Killing Client vars session on closing browser. Ok, here's another part of the mystery .... how could this be? I closed all copies of all browsers. I used SQL Query Analyser to go to the CDATA table and delete the records relating to my client session. Then I opened my browser and went to the protected page. As expected I was sent to the login page. So far so good. But when I completed logging in, the CFID and CFTOKEN were the same as the one I had just deleted!! I didn't believe what I was seeing, so I did it again a couple more times. Same result. I thought the CFIDs and CFTOKENS were supposed to be unique and never reused. What gives? How can I log in fresh and get the same CFID and CFTOKEN as I had before? (If it's relevant, we're using CF5 and my browsers are IE6.0.26, and NN4.75, and NN6.2.2) Cheers, Mike Kear Windsor, NSW, Australia AFP WebWorks -----Original Message----- From: Matthew Friedman [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 20, 2002 11:22 AM To: CF-Talk Subject: RE: Killing Client vars session on closing browser. Mike here is a thought and this works for a project that I did. Open you site in a framed environment Frame one is 100% and this is where your application runs Have a hidden frame that is a simple html page with an onclose() function to call a page logout.cfm In logout run a query to delete your client variables from the database that you have designated <CFQUERY NAME="remove_client_session" DATASOURCE="session_varibles"> delete from dbo.CDATA where cfid = '#cookie.cfid#:#cookie.cftoken#' and app = '<cfapplication name=''>' - this is the name from the cfapplication page that you are using for the client vars. </CFQUERY> then close the browser page with a JavaScript. This will guarantee that you have deleted the client vars from the time the user logs off. You will need to take this Idea on step furture to make sure that the user does not open the page outside of the framed enivorment and that can be done with some simple javascripting. Matt Friedman -----Original Message----- From: Mike Kear [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 19, 2002 8:40 PM To: CF-Talk Subject: RE: Killing Client vars session on closing browser. Yes, thanks Rob. That was my understanding of it too. And I had already used that code to convert CFID and CFTOKEN to memory cookies. But now, 8 hours after I closed my browser, I just came back on line, opened my browser again, and I was still logged in with the same CFID and CFTOKEN. So the client vars didn't time out, and they didn't disappear when not only did I close down my browser but I closed down my whole system for the night. That's why I asked the question. I didn't want to go over old ground, but half a dozen people have told me exactly the same thing - use that snippet to convert the cookies to in-memory cookies. BUT IT DOESN'T WORK FOR MY CASE. That's the problem. I don't know why. If you look at my original question ( re-posted below) you'll see that's what I originally said. Does that only apply to session variables? Because I'm using CLIENT Vars (it's a long story, just take it from me that client vars is the way we have to go) Or have I missed something? -----Original Message----- From: Rob Baxter [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 20, 2002 4:04 AM To: CF-Talk Subject: RE: Killing Client vars session on closing browser. Correct me if I'm wrong, but I believe that eliminating a user's session id (aka CFID and CFTOKEN) will have the effect of orphaning their Client data. In other words, if you make sure that no users have persistant session cookies, when they close the browser, they will lose their CFID and CFTOKEN values which are used to hash their Client variables. If they return to your site in a new browser instance, they should be issued a new CFID and CFTOKEN pair, which effectively gives them a whole new Client variable space. Of course you should probably have your Client variables expire fairly frequently in this scenario. I believe some has already posted the code you can put in Application.cfm which will convert your CFID and CFTOKEN cookies from persistant cookies to in-memory cookies. </rob> -----Original Message----- Here's what I originally asked: At 07:51 AM 6/19/02, you wrote: >I'm maintaining state using CLIENT vars, and I want to have the session die >when the user closes his browser. > >I know how to kill SESSION vars by setting the CFID and CFTOKEN cookies to >expire, but that doesn't apply to client vars does it? In any case, when >I close my browser and open it again, the CFID and CFTOKEN is still alive. >I'm still logged in and when I display the CFID and CFTOKEN on the page, >they're the same. (Yes, I have refreshed the browser) > >Here's my <CFAPPLICATION tag: > ><cfapplication > name="appname" > clientmanagement="Yes" > clientstorage="datasource" > setdomaincookies="Yes" > APPLICATIONTIMEOUT="#CreateTimeSpan(0,0,45,0)#"> > > >And here's the following few lines in the application.cfm which set the >cookies: > ><cfif IsDefined( "Cookie.CFID" ) AND IsDefined( "Cookie.CFTOKEN" )> > <cfset localCFID = Cookie.CFID> > <cfset localCFTOKEN = Cookie.CFTOKEN> > <cfcookie name="CFID" value="#localCFID#"> > <cfcookie name="CFTOKEN" value="#localCFTOKEN#"> ></cfif> > > What am I missing? Cheers, Mike Kear Windsor, NSW, Australia AFP WebWorks ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
