Hi Erik,
Here is my standard solution for forcing a logout when the browser closes:
1) On the logon page, set your own temporary cookie. That is, use
<CFCOOKIE> without a time out option. This sets a memory only cookie which
is destroyed when the user closes their browser.
2) In your security code:
Check if they have this cookie set (except if the current page is the logon
page)
If the cookie is not set, it means they closed their browser, and have not
visited the logon page yet. You should purge all their client or session
variables (or maybe just the key ones required for security) for them,
forcing the user to logon again with a clean session. Treat this code
exactly like you would if you have a "logout" link or button.
At 06:11 PM 4/16/01, Erik Schaareman wrote:
>If you use session or client-variables to see if a user
>is logged in, you can use URLTOKEN to replace the use
>of a cookie.
>
>In most cases a cookie is used to store the CFID and
>CFTOKEN, which are used to reference to the session or
>client variables. When you use URLTOKEN the CFID
>and CFTOKEN aren't put in a cookie, since they are already
>present in your URLTOKEN.....
>
>So it only replaces a cookie when you put your login-variables
>in session- or client-variables. When you use COOKIE.user_uuid
>URLTOKEN doesn't replace your cookie.
>
>The only question I have, is there a way that the COOKIE with
>CFID and CFTOKEN is thrown away at the end of a session?
>
>My problem is that when a user starts up another browser (not a new
>window (CTRL +N)), the same COOKIE is read by this browser
>and this has access to the same session-variables. This is not always
>wanted....
>
>And in some companies, people share computers. So it's possible that
>a person is hijacking a session or using client-variables from another
>person if he is going to use this computer. Putting timeouts for client-
>variables or session-variables isn't always the solution.....
>
>If there was only a way to put something like COOKIE-TIMEOUT in
>your CFAPPLICATION..........
>
>With kind regards,
>Erik
>
>
>----- Original Message -----
>From: "Steve Kelley" <[EMAIL PROTECTED]>
>To: "Fusebox" <[EMAIL PROTECTED]>
>Sent: Monday, April 16, 2001 23:38
>Subject: FuseBox Replacement of Cookies
>
>
> > I read the section in the Nelson/Girard FB book concerning <cfapplication>
> > and the issue of cookies (page 37) and don't quite grasp the entire issue.
>I
> > understand how to implement the URLTOKEN, but don't understand how to
> > implement this in replace of the cookies I currently use to determine if a
> > user has successfully logged in during that session.
> >
> > I'd appreciate someone filling in this gap in my understanding. Thanks.
> >
> > Steve Kelley
> > SRKelley Enterprises, Inc.
> > www.HollywoodPaws.com
> > [EMAIL PROTECTED]
> >
> >
> > Archives: http://www.mail-archive.com/[email protected]/
> > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> >
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
