How to set session timeout per user

Martin,

Your code example cannot work because the "session" scope doesn't exist until your application scope is defined. So you have to handle this manually. Here's how you can get it done. First, define your application to the maximum sessiontimeout you want to have.

<CFAPPLICATION NAME="appControl" SESSIONMANAGEMENT="Yes" SESSIONTIMEOUT="#CreateTimeSpan(1,0,0,0)#">

Then, I don't know how you are doing your login authentication but when you have authenticated the user, you need to define the userid and the most recent activity in the session. Also determine your timeout value based on the userid. See example:
<CFIF IS_AUTHENTICATED>
<CFSET session.user.uid = form.userid>
<CFSET session.user.most_recent_activity = now()>
<CFIF session.user.id eq 1>
<CFSET session.user.timeout_mins = 20>
<CFELSE>
<CFSET session.user.timeout_mins = 1440>
</CFIF>
</CFIF>

Now, all you have to do is check whether the user has been idle for too long and kill the session by purging all session variables. For example:

<!--- if user id is defined, this means user is logged in --->
<CFIF structKeyExists(session, "user") and structKeyExists(session.user, "id")>
<!--- check if timeout has expired --->
<CFIF datediff("n", session.user.most_recent_activity, now()) gt session.user.timeout_mins>
<!--- timeout has expired, kill the session and log the user out --->
<CFSET StructClear(session)>
<!--- insert your logout code here --->
<CFELSE>
<!--- user hasn't timed out, so reset the most recent activity to now --->
<CFSET session.user.most_recent_activity = now()>
</CFIF>
</CFIF>

I have set this in the login page, based on the class of user that I had on file for a valid userid.
For publicly-located machines, I have also used a visible input field for the session-length in minutes, with a short default value that the user could change (up to a maximum based on type of userid). Not sure if that answers your question...
-keyman