DISREGARD - Duplicate

Are you doing a <cflocation...> on the same template you are setting
cookies. The older versions of coldfusion could not set a cookie and do
a cflocation at the same time. It had to do with a <cflocation...>
doing the redirect before the request was returned, so that the client
never received the cookie setting information.



Tony_Latino wrote:
> Well i tried what you just told me, and it does not work either. I am at a
> loss.....
>
> It may be because I am placing the cookie destruction in the wrong place, but
> I put it in the application.cfm page. I would think that is correct - here is
> what I have in the Application.cfm page -
>
> <cfapplication
>
> name = "SLO"
>
> sessionmanagement = "yes"
>
> setclientcookies = "no"
>
> >
>
> <CFCOOKIE NAME="CFID" VALUE="#CFID#" EXPIRES="NOW">
> <CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#"
> EXPIRES="NOW">
>
>
> <cfparam name = "session.login" default = "FALSE">
>
> <CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="10">
> <CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#">
> <CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#">
> </CFLOCK>
>
> The code that logs them in is as follows -
>
> <cfif (user_query.username IS form.username) AND (form.username IS NOT "") AND
> (form.password IS NOT "")>
> <cfset session.login = "TRUE">
> <cfset session.fname = "#user_query.first_name#">
> <cfset session.lname = "#user_query.last_name#">
> <cfset session.uid = "#user_query.user_id#">
> <cfset session.email = "#user_query.email#">
> <cfset session.status = "#user_query.status#">
> <cfset session.currentSLO = "1">
> <cflocation url = " http://www.uwf.edu/ucommons/SLO/instructions.cfm">
>
> <cfelse>
> <cflocation url =
> " http://www.uwf.edu/ucommons/SLO/login.cfm?loginAttempt=true">
> </cfif>
>
> The code that checks to see if they are logged in is as follows -
>
> <!--- CHECK FOR LOGIN --->
>
>
> <cfif session.login NEQ "TRUE">
> <cflocation url = " http://www.uwf.edu/ucommons/SLO/index.htm">
> </cfif>
>
>
> <!--- END OF LOGIN CHECK --->
>
> I know that this is simple - but for now I am just trying to get this to work.
>
> This is how I test it -
>
> 1. Open a Browser window.
> 2. Navigate tot he login form.
> 3. Enter a valid User and Pass
> 4. (you are then directed to the Instructions page)
> 5. I close the window.
> 6. I open a new window on the same machine and try to navigate to the
> instructions page manually by typing in the URL.
>
> Expected Result -
> It should redirect me to the index page becasue they are not logged in as a
> user.
>
> Actual Result -
> It allows me to see the instructions page and shows on that page that I am
> logged in as the previous user, in this case.... "test".
>
> Why this is important - We have about 200 students working in this department,
> and they all use each others computers. It is important that another student
> NOT be able to open up a window on another students computer and start an
> assessment under another students name.
>
>

Well i tried what you just told me, and it does not work either. I am at a loss.....

It may be because I am placing the cookie destruction in the wrong place, but I put it in the application.cfm page. I would think that is correct - here is what I have in the Application.cfm page -

<cfapplication

name = "SLO"

sessionmanagement = "yes"

setclientcookies = "no"

>

<CFCOOKIE NAME="CFID" VALUE="#CFID#" EXPIRES="NOW">
<CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#"
EXPIRES="NOW">


<cfparam name = "session.login" default = "FALSE">

<CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="10">
<CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#">
<CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#">
</CFLOCK>

The code that logs them in is as follows -

<cfif (user_query.username IS form.username) AND (form.username IS NOT "") AND (form.password IS NOT "")>
<cfset session.login = "TRUE">
<cfset session.fname = "#user_query.first_name#">
<cfset session.lname = "#user_query.last_name#">
<cfset session.uid = "#user_query.user_id#">
<cfset session.email = "#user_query.email#">
<cfset session.status = "#user_query.status#">
<cfset session.currentSLO = "1">
<cflocation url = " http://www.uwf.edu/ucommons/SLO/instructions.cfm">

<cfelse>
<cflocation url = " http://www.uwf.edu/ucommons/SLO/login.cfm?loginAttempt=true">
</cfif>

The code that checks to see if they are logged in is as follows -

<!--- CHECK FOR LOGIN --->


<cfif session.login NEQ "TRUE">
<cflocation url = " http://www.uwf.edu/ucommons/SLO/index.htm">
</cfif>


<!--- END OF LOGIN CHECK --->

I know that this is simple - but for now I am just trying to get this to work.

This is how I test it -

1. Open a Browser window.
2. Navigate tot he login form.
3. Enter a valid User and Pass
4. (you are then directed to the Instructions page)
5. I close the window.
6. I open a new window on the same machine and try to navigate to the instructions page manually by typing in the URL.

Expected Result -
It should redirect me to the index page becasue they are not logged in as a user.

Actual Result -
It allows me to see the instructions page and shows on that page that I am logged in as the previous user, in this case.... "test".

Why this is important - We have about 200 students working in this department, and they all use each others computers. It is important that another student NOT be able to open up a window on another students computer and start an assessment under another students name.

It works the same for PHP as it does for ColdFusion as it does for .NET.
None of them can do something that is not allowed in the HTTP
Standards. And HTTP is stateless by design. So the server does not
know when a browser is closed so it can not do anything. ColdFusion
uses cookies to tie a client to a session, .NET uses a hidden form
field, I'm not sure what PHP does.

I'm not sure why the link did not work for you, I just checked it and it
was fine. Here is the relevant code that I think you need to add.

Use the following code to delete previously existing CFID and CFTOKEN
cookies:

<CFCOOKIE NAME="CFID" VALUE="#CFID#" EXPIRES="NOW">
<CFCOOKIE NAME="CFTOKEN" VALUE="#CFTOKEN#"
EXPIRES="NOW">

Use the following code to set per-session cookies instead of persistent
cookies:

For Session Management:

<!--- With Session Management Enabled --->
<CFAPPLICATION NAME="myCFApp" SESSIONMANAGEMENT="YES"
SETCLIENTCOOKIES="NO">

<!--- CF will not set the client cookies automatically, so
set them manually as per-session cookies --->
<cfif not IsDefined("Cookie.CFID")>
<CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="5">
<CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#">
<CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#">
</CFLOCK>
</cfif>

Taking a look at your code you have some of this, but not all of it. I
suspect a big part is that you don't have the first two lines that
remove any old persistent cookies that might exist before attempting to
set them as per-session cookies (ones that expire when the browser is
closed).


Tony_Latino wrote:
I just cannot understand why a session cannot close when the browser
closes. In PHP sessions, the session closes when it is supposed to -
when the browser window closes. Otherwise, I consider this a security risk.

PS. I forgot to add the trick that can help when a user leaves the
site, but does not close the browser. In this situation the session is
still active and another user could get in by using the back button.

One can use a JavaScript <body onUnload()> to call a logoff template
whenever a user leaves the secured site.

Tony_Latino wrote:
> I have asked this question before, and I am hoping someone will have an answer
> for me.

Thank you for your reply, unfortunately I cannot get the link to work. I believe if you are pointing me to their "solution" to this very problem, I can assure you that it is not worth anything. i have tried their example in several different machines, and their examples do not work.

I just cannot understand why a session cannot close when the browser closes. In PHP sessions, the session closes when it is supposed to - when the browser window closes. Otherwise, I consider this a security risk.

I am also disappointed at the documentation for Coldfusion. It upsets me that an OPEN SOURCE project has more professional and thorough documentation than a proprietary product does. It is insane to think that we spend LOTS of money for ColdFusion to get such poor online service, but an OPEN SOURCE langauage, such as PHP has the best documentation I have ever seen - besides SunMicrosystems Java - I have to admit that their documentation is superior to all others.

I know someone has a solution for this somewhere. Someone HAS to know something. I see this problem all over the internet, but each solution I have tried does not work.

It has been sometime since I have used CF5, so forgive me if my memory
is a bit rusty. Unfortunately all my current environments are MX6 or
newer, so I can't try much of this out anymore.

Now that the caviots are out of the way.

Ultimately, when dealing with states in the HTTP world one is talking
about cookies. There is no persistent connection between the client and
server. Thus there is no way for the server to know what is going on on
the client and vice-a-versa. This is the stateless nature of the HTTP
standard

To simulate a form a state, ColdFusion writes a couple of cookies named
CFID and CFToken. These are passed the server with each request. The
server then checks these against its sessions in memory to see if they
exist and if so, if they are current. It then process appropriately
according to the results.

To do what you wish you need to expire these cookies when the browser
closes. This
[ http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_17915 Adobe
nee Macromedia Tech Note explains how better then I ever could. I just
found it while writing this reply when I used Google to refresh my
memory of name of the CF cookies.

Read through that and see if it helps. If you have more questions feel
free to ask and we will see if we can help.

Tony_Latino wrote:
> I have asked this question before, and I am hoping someone will have an answer
> for me.
>
> MY SET UP:
>
> Coldfusion 5
> J2EE Sessions - NOT USED (not available)
>
>
> MY APPLICATION PAGE:
>
> <cfapplication
>
> name = "SLO"
>
> sessionmanagement = "yes"
>
> setclientcookies = "no"
>
> >
>
> <cfparam name = "session.login" default = "FALSE">
>
> <CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="10">
> <CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#">
> <CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#">
> </CFLOCK>
>
>
> MY LOGIN PAGE:
>
> <cfif isDefined("form.submit")>
>
> <cfquery name = "user_query" datasource = "ucommons_sitedb">
> SELECT
> SLO_USERS.username, SLO_USERS.password, SLO_USERS.email,
> SLO_USERS.first_name, SLO_USERS.last_name, SLO_USERS.status, SLO_USERS.user_id
> FROM
> SLO_USERS
> WHERE
> (SLO_USERS.username) = ('#form.username#') AND (SLO_USERS.password) =
> ('#form.password#')
> </cfquery>
>
> <cfif (user_query.username IS form.username) AND (form.username IS NOT "")
> AND (form.password IS NOT "")>
> <cfset session.login = "TRUE">
> <cfset session.fname = "#user_query.first_name#">
> <cfset session.lname = "#user_query.last_name#">
> <cfset session.uid = "#user_query.user_id#">
> <cfset session.email = "#user_query.email#">
> <cfset session.status = "#user_query.status#">
> <cfset session.currentSLO = "1">
> <cflocation url = " http://www.uwf.edu/ucommons/SLO/instructions.cfm">
>
> <cfelse>
> <cflocation url =
> " http://www.uwf.edu/ucommons/SLO/login.cfm?loginAttempt=true">
> </cfif>
>
> <cfelse>
>
> <!-- LOGIN FORM -->
>
> <cfparam name = "URL.loginAttempt" default = "false">
>
> <cfif IsDefined("URL.loginAttempt")>
> <cfif URL.loginAttempt IS "true">
> <br><br>Error Message Goes Here.<br><br>
> </cfif>
> </cfif>
>
> <img src = " http://www.uwf.edu/ucommons/SLO/images/SLO_login_label.jpg">
> <cfform method = "post" action = "login.cfm">
>
> <table border = "0">
> <tr>
> <td>Username:</td>
> <td><input type = "text" name = "username" size = "25"></td>
> </tr>
>
> <tr>
> <td>Password:</td>
> <td><input type = "text" name = "password" size = "25"></td>
> </tr>
>
> <tr>
> <td colspan = "2"><input type = "submit" name = "submit" value = "LOGIN"></td>
> </tr>
>
> </table>
>
> </cfform>
>
> </cfif>
>
> A PAGE THAT USES THE LOGIN INFORMATION:
>
> <!--- CHECK FOR LOGIN --->
>
>
> <cfif session.login NEQ "TRUE">
> <cflocation url = " http://www.uwf.edu/ucommons/SLO/index.htm">
> </cfif>
>
>
> <!--- END OF LOGIN CHECK --->
>
>
> MY PROBLEM:
>
> I want the script to log the users in. If the user CLOSES the browser window,
> I want (and desperately need) the session to END. Meaning, I do not want a
> student to close the window and another student be able to come in on the same
> machine and go to the page that the prior student was using and complete their
> assessment for them, or worse, think that the assessment that is showing up is
> THEIR assessment.
>
> This is a problem that I see on these forums all the time. People keep saying
> - "Go to the documentation". Well when you look at the documentation, it says
> nothing about it. It goes on to tell you if you are using J2EE session
> management, that this is a problem and gives you a solution. I am not using
> J2EE session management. I use the examples that they are giving me (as you can
> see from the above application.cfm file), but I am not getting any results.
>
> Why is it so difficult for this to work right? one person even told me that
> this is the design, and that you would WANT your sessions to persist after
> browser close. I am sorry that I do not agree. I do not believe that sessions
> should persist after browser close - this is a security risk - plain and
> simple.
>
> So, now that I am done venting my frustrations, does anyone know how to get
> Coldfusion 5 to PLEASE end the session on browser close?
>
> Thanks - Tony Latino
>