Skip to main content
I
iamnoobzilla
Participant
February 7, 2010
Question

A simple app to secure coldfusion pages - Running into an issue with Session

  • February 7, 2010
  • 5 replies
  • 835 views

Hello, I am testing out how to protect pages in coldfusion and have run into an issue when attempting to create a process by which users can log out.

Essentially, I have three pages:

  1. Page A - The form that submits to Page B
  2. Page B - That checks the form.username and form.password against a database (works fine)
  3. Page C - Logout page (Which is where I am having an issue).

Page C throws a "variable Session is undefined" error

Here is the code on Page C:

<cfset StructClear(Session)>
<cflocation url="index.cfm">

Here is the code on Page B:

<cfif NOT IsDefined ("form.username")>
<cflocation url="index.cfm" addtoken="No">
</cfif>


<cfquery name="test" datasource="cfdb">
SELECT * FROM USERS
WHERE USERNAME = '#FORM.username#'
AND PASSWORD = '#FORM.password#'
</cfquery>


<!---<CFSET Session.LoggedIn = "1">
<CFSET Session.FirstName = "#test.FirstName#">--->

<CFIF test.RecordCount IS 0>
<cflocation url="index.cfm" addtoken="No">
<CFSET StructClear(Session)>
<cfelse>
<CFSET Session.LoggedIn = "1">
<!---<cflocation url="test.cfm" addtoken="No">--->
</cfif> 
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<p><a href="logout.cfm">Log Out</a></p>
<p> </p>
<p> </p>
<p><br>
  This content is protected.
</p>
</body>
</html>

As you can see, nothing fancy

Now, I thought that the Session variable could be accessed by any page within a given browser instance, but I am obviously wrong.

What do I need to do for Page C (my logout page to be able to access the session variable).

Any guidance is greatly appreciated!

This topic has been closed for replies.

5 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
February 14, 2010

I'd say,  to test whether session are enabled, do this just before the line where Coldfusion throws the error:

<cftry>

<cfdump var="#session#">

<cfcatch type="any">

<cfoutput>#cfcatch.message#</cfoutput>

</cfcatch>

</cftry>

If the result is negative, you will have to enable the session scope (and the application scope) in the Coldfusion Administrator.

A
Adam Cameron.
Inspiring
February 13, 2010

As someone else alluded to... can you post your Application.cfc (or Application.cfm)?

It doesn't sound like you've got session variables enabled.  Although I would have thought when yo're setting session variables in template you'd get an error to that effect...

--

Adam

A
A***
Inspiring
February 10, 2010

1.

“Variable Session is undefined” error comes up when you try to manipulate a session variable which does not exist, as at that point in time. To take care of possible empty session structures, it is good practice to check first if your session is defined.

So you will have something like:

<cfif isDefined("session")>

<cfset StructClear(Session) />

<cfelse>

<cflocation url="index.cfm">

</cfif>

2.

To enable you access your session variables from any page in your application, you need to enable session management in your Application.cfm or Application.cfc.

cfm   <cfapplication sessionmanagement="Yes" />

cfc        <cfcomponent>

<cfset THIS.SessionManagement = "Yes" />

</cfcomponent>

 

Reference…http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24-7c48.html

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
February 7, 2010

Your logout page shouldn't need to access the session. It should be the page where you clear the session.

Page B:

<cfquery name="test" datasource="cfdb">
SELECT * FROM USERS
WHERE USERNAME = <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.username#">
AND PASSWORD = <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.password#">
</cfquery>

<CFIF test.RecordCount GT 0>
    <CFSET Session.LoggedIn = "1">
    <CFSET Session.FirstName = "#test.FirstName#">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Untitled Document</title>
    </head>
   
    <body>
    <p><a href="logout.cfm">Log Out</a></p>
    <p> </p>
    <p> </p>
    <p><br>
      This content is protected.
    </p>
    </body>
    </html>
<CFELSE>
    <cflocation url="index.cfm" addtoken="No">   
</CFIF>

page C (logout.cfm):

<cfset StructClear(Session)>

<cflogout>

<cflocation url="index.cfm">
D
Dan_Bracuk
Inspiring
February 7, 2010

Don't use structclear(session).   Set some key to an empty string or false instead.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices