DateDiff("n",CookieData.Time ,now())
On 8/17/06, Dave Shuck <[EMAIL PROTECTED]> wrote:
Ray, here are some VERY rough draft, untested, and unproven thoughts. I make no guarantees when it comes to syntax and/or logic!
That said... what about something along these lines. Let's say we create a new field in our User table and call it CookieString. When a user logs in, let's stuff that field with a value we can match up from our cookie. Then on their return we can compare the age of the cookie and if it is within the acceptable limit, then we can log the user in based on the Id we pass.
So when a user logs in you would assign them a cookie like this:
<!--- create a new Structure that we will serialize and stuff in the cookie --->
<cfset CookieData = StructNew() />
<!--- Set the current time that we are building this cookie --->
<cfset CookieData.Time = Now() />
<!--- create a random string that will give us a handle on the user --->
<cfset CookieData.Id = CreateUUID() />
<!--- now serialize the structure so that we can put it in a cookie --->
<cfwddx action="" input="CookieData" output="CookieDataString" />
<!--- write the cookie --->
<cfcookie name="YOURCOOKIE" domain=".yourdomain.com" expires="never" value=" #CookieDataString#" />
Let's look at what this doing.
The 'name' is what you will use to reference this value later in the 'cookie' scope like cookie.YOURCOOKIE. You will probably (I hope) notice that it is in all caps. The reason is that you can run into discrepencies with character case on (client side) where cookie.YOURCOOKIE will actually be interpreted as a different value than cookie.YourCookie. For this reason I make a habit of making my cookie names upper case.
The 'domain' attribute is optional. By default it will be available to the servername it was assigned in (eg. www.yourdomain.com). If that is all you need, then you can leave it blank. However, if you specify it like I did with the leading ".", the cookie will be available to all subdomains of yourdomain.com.
Expires="never" never means it will live for 30 years.
The 'value' is our structure that has been turned into a string. We will pull it out and de-serialize it later. The reason we are using a random string for the handle on the user rather than their username or UserId or something, is for security. If someone ever looked at the contents of their own cookie (and they will) and found that all they needed was a username and timestamp, it would be easy for them to use something like TamperData to just change the username to someone else, and shorten the time. By doing that they could log right in as someone else. By using a random string such as a UUID, you are removing that risk.
So now that we have written the cookie, we need to insert CookieData.Id into our user record so that we can query for it later and retrieve that user.
Now that this part has happened, the user can go on about their session doing their thing.
____
The return:
Let's say they leave and come back hours later. You could put something like this in a plugin/filter/etc that runs on every request.
For the sake of example, we are going to say that when a user is logged in, they are represented as session.User.
<cfif NOT StructKeyExists(session,"User") AND StructKeyExists(cookie,"YOURCOOKIE")>
<!---
this means: a) the user wasn't logged in
b) they have the cookie we are looking for
--->
<!--- deserialize the data --->
<cfwddx action="" input="cookie.YOURCOOKIE" output="CookieData" />
<cfif DateDiff("m",CookieData.Time,now()) LTE [your time threshold in minutes]>
[look up the user by querying for CookieString.Id]
<!--- if there was a matching user --->
[log them in and repeat the process of writing the cookie with a new timestamp]
</cfif>
</cfif>
There are probably a shortcoming or two I am missing here. One of those is certainly the fact that the time starts at the moment of their login rather than their last page request. You could modify this process to account for that if you felt the need.
Also, this is not the end-all-be-all answer, just a first swag. If anyone sees any big holes in the flow, speak up!
Hope this helps...
~DaveOn 8/17/06, Ray Hughes <[EMAIL PROTECTED]> wrote:
Hi Dave,
I still being somewhat "Green and Uncooked",
I have not yet mastered the skill baking "cookies".
Could you provide some direction and assistance?
How do I set a cookie with a defined timeout for a session of 4 hours of
inactivity?
What I want to happens is as follows:
If the user does not use his session for 4 hours it closes.
As long as the user does some kind of activity in his session then the 4
hour time limit is continually reset to the upper limit of 4 hours upon the
occurrence of each activity.
With you help maybe I can bake a batch of "Cookies".
Please remember I need from scratch instruction.
Regards
Ray
>From: "Dave Shuck" < [EMAIL PROTECTED]>
>Reply-To: Dallas/Fort Worth ColdFusion User Group Mailing
>List< [email protected]>
>To: "Dallas/Fort Worth ColdFusion User Group Mailing
>List"<[email protected]>
>Subject: Re: [DFW CFUG] Session Timeout
>Date: Thu, 17 Aug 2006 11:37:04 -0500
>
>Ray,
>
>Have you considered setting a cookie with a defined timeout, and if a user
>comes to the site with that cookie and the cookie is still valid they
>auto-login? We use something similar to this on a multiple-subdomain
>application that doesn't share sessions. You have to be a little conscious
>of security concerns, but it works well when implemented right. In an MVC
>application, this type of thing can easily be implemented with a filter or
>plugin.
>
>~Dave
>
>On 8/17/06, Christopher Jordan < [EMAIL PROTECTED]> wrote:
>>
>> Good point, David. I suppose upon login, you could set a variable in the
>>request scope and if it's not defined in the session (ie. the first time
>>around), then check for it in the request scope and behave accordingly if
>>they're a 'big' or 'small' user. You could give that a shot. :-/
>>
>>David Gaddy wrote:
>>
>>The problem with this solution is that unless there is an additional
>>cfapplication tag prior to this statement, then the outer-most if
>>statement
>>will always be false and the cfapplication tags will never fire. You have
>>to turn on the sessionmanagement with cfapplication tag prior to using any
>>session variables.
>>
>>david
>>
>>
>>
>>Christopher Jordan wrote:
>>
>>I would agree with joe here on running cfapplication twice.
>>
>><cfif #IsDefined("Session.userType")#>
>> <cfif #session.usertype# eq "Big">
>> <cfapplication name="Work_Prod" sessionmanagement="yes"
>>sessiontimeout="#CreateTimeSpan(0, 4, 0, 20)#">
>> <cfelse>
>> <cfapplication name="Work_Prod" sessionmanagement="yes"
>>sessiontimeout="#CreateTimeSpan(0, 0, 20, 0)#">
>> </cfif>
>></cfif>
>>
>>something like that.
>>
>>Chris
>>
>>Joe Kelly wrote:
>>
>>The comments on LiveDocs presented this:
>>
>>yoinky said on Sep 28, 2005 at 2:03 AM :
>>
>> HUGE Pain-In-The-Ass Solution:
>>
>> DO NOT USE HYPHEN CHARACTERS IN THE NAME="" ATTRIBUTE!
>>
>> Just incase you are pulling your hair out wondering why your
>>client management isn't working (like I've been doing for the past
>>week) and have gone through everything and can't get it working on a
>>database or in the registry, head this very simple "rule" left out of
>>the documentation.
>>
>> if you do use a hyphen, at the end of the request when the client
>>scope is supposed to be automatically persisted by the runtime, it
>>will display a "500 NULL" error in html at the bottom of the page, it
>>won't even throw a real exception or log the error, so you have no
>>idea it happened.
>>
>>~~~~~~~~~~~~~~
>>This may go for underscores as well.....
>>Plus, I would run <cfapplication> twice, personally. I'd just place
>>it in the <cfif> so it ran only once.
>>
>>Thanks,
>>Joe Kelly
>>
>>On 8/16/06, Ray Hughes <[EMAIL PROTECTED]>
>>< [EMAIL PROTECTED]>wrote:
>>
>>Hi All,
>>
>>I am having an issue with session timeout. In the application.cfm I have
>>the following:
>><cfapplication sessionmanagement="yes" name="Work_Prod">
>>This is the first line in the application.cfm. I was hoping the I could
>>replace this with a further definition further down in the code.
>>
>>The default session timeout on the prod server from Cf Admionistrator are
>>as
>>follows:
>>Session Variables
>>Enable session variables Yes
>>Default Timeout 0,0,20,0
>>Maximum Timeout 2,0,0,0
>>
>>I have two type of users Big and Small.
>>
>>I want to set the session timeout to 4 hours for the Bid users and leave
>>the
>>session timeout at 20 minutes for the Small users.
>>
>>I have put the following in the application.cfm further down in the code.
>>But this does not seems to work. The session still seems to time out at 20
>>
>>minutes. Should thiscode work?
>><cfif #IsDefined("Session.userType ")#>
>> <cfif #session.usertype# eq "Big">
>> <cfapplication name="Work_Prod" sessionmanagement="yes"
>>sessiontimeout="#CreateTimeSpan(0, 4, 0, 20)#">
>> </cfif>
>></cfif>
>>
>>I was presuming that after the "BIG" user logged in that this If statement
>>
>>would over write
>>the previous CfApplication tag.
>>
>>Does anyone have any suggestions?
>>
>>Regards
>>Ray
>>
>>_________________________________________________________________
>>Don't just search. Find. Check out the new MSN Search!
>>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>
>>
>>_______________________________________________
>>Reply to DFWCFUG:
>> [email protected]
>>Subscribe/Unsubscribe:
>> http://lists1.safesecureweb.com/mailman/listinfo/list
>>List Archives:
>> http://www.mail-archive.com/list%40list.dfwcfug.org/
>> http://www.mail-archive.com/list%40dfwcfug.org/
>>DFWCFUG Sponsors:
>> www.HostMySite.com
>> www.teksystems.com/
>>
>>
>>_______________________________________________
>>Reply to DFWCFUG: [email protected]
>>Subscribe/Unsubscribe:
>>http://lists1.safesecureweb.com/mailman/listinfo/list
>>List Archives: http://www.mail-archive.com/list%40list.dfwcfug.org/
>> http://www.mail-archive.com/list%40dfwcfug.org/
>>DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
>>
>>
>> ------------------------------
>>
>>_______________________________________________
>>Reply to DFWCFUG:
>> [email protected]
>>Subscribe/Unsubscribe:
>> http://lists1.safesecureweb.com/mailman/listinfo/list
>>List Archives:
>> http://www.mail-archive.com/list%40list.dfwcfug.org/
>> http://www.mail-archive.com/list%40dfwcfug.org/
>>DFWCFUG Sponsors:
>> www.HostMySite.com
>> www.teksystems.com/
>>
>>
>>------------------------------
>>
>>_______________________________________________
>>Reply to DFWCFUG:
>>
>>[email protected] Subscribe/Unsubscribe:
>> http://lists1.safesecureweb.com/mailman/listinfo/list List Archives:
>>http://www.mail-archive.com/list%40list.dfwcfug.org/
>>http://www.mail-archive.com/list%40dfwcfug.org/ DFWCFUG Sponsors:
>>www.HostMySite.com www.teksystems.com/
>>
>>_______________________________________________
>>Reply to DFWCFUG:
>> [email protected]
>>Subscribe/Unsubscribe:
>> http://lists1.safesecureweb.com/mailman/listinfo/list
>>List Archives:
>> http://www.mail-archive.com/list%40list.dfwcfug.org/
>> http://www.mail-archive.com/list%40dfwcfug.org/
>>DFWCFUG Sponsors:
>> www.HostMySite.com
>> www.teksystems.com/
>>
>>
>>
>
>
>--
>~Dave Shuck
>[EMAIL PROTECTED]
>www.daveshuck.com
> www.worldwildweb.biz
>_______________________________________________
>Reply to DFWCFUG:
> [email protected]
>Subscribe/Unsubscribe:
> http://lists1.safesecureweb.com/mailman/listinfo/list
>List Archives:
> http://www.mail-archive.com/list%40list.dfwcfug.org/
> http://www.mail-archive.com/list%40dfwcfug.org/
>DFWCFUG Sponsors:
> www.HostMySite.com
> www.teksystems.com/
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
Reply to DFWCFUG:
[email protected]
Subscribe/Unsubscribe:
http://lists1.safesecureweb.com/mailman/listinfo/list
List Archives:
http://www.mail-archive.com/list%40list.dfwcfug.org/
http://www.mail-archive.com/list%40dfwcfug.org/
DFWCFUG Sponsors:
www.HostMySite.com
www.teksystems.com/--
--
~Dave Shuck
[EMAIL PROTECTED]
www.daveshuck.com
www.worldwildweb.biz
_______________________________________________ Reply to DFWCFUG: [email protected] Subscribe/Unsubscribe: http://lists1.safesecureweb.com/mailman/listinfo/list List Archives: http://www.mail-archive.com/list%40list.dfwcfug.org/ http://www.mail-archive.com/list%40dfwcfug.org/ DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
