Skip to main content
M
Milos_Draca_70
Participating Frequently
March 6, 2018
Question

If user logoff or their session times out how to end coldfusion session?

  • March 6, 2018
  • 1 reply
  • 3957 views

I have system that I built and for this project I used Ajax with JQuery. On back end I use ColdFusion and session management to handle users session variables. There is two situations (actually three if we consider closing the browser) where users session will end. One situation is if they click Logoutthen I have function that will clear SESSION scope with all information in it but session is not ended. Also CFID and CFTOKEN are still the same. Here is example of Logout function:

<cffunction name="LogOut" access="remote" output="yes" returnformat="JSON" hint="Used in session timeout handling"> <cfset fnResults = structNew()> <cfset dt = createODBCDateTime(now())>  <cfif structKeyExists(SESSION,"LoggedIn")> <cfset temp = structClear(SESSION)> <cfset fnResults.status = "200"> <cfelse> <cfset fnResults.status = "400"> <cfset fnResults.message = "Error!"> </cfif>  <cfreturn fnResults> </cffunction>

Second scenario is once user session timeout. Here is example of that fucntion:

<cffunction name="timeoutSession" access="remote" output="yes" verifyclient="no" securejson="false"> <cfset temp = structClear(SESSION)> </cffunction>

Both of these functions will clear the session scope but not end the user session. I have used cfdump to check session scope once user logs out and CFID/CFTOKEN remains the same. I'm wondering how session cna be ended once they hit LogOut or timeoutSession function? Also should I rewrite the CFID and CFTOKEN every time user logs in the system? Here is example of my Application.cfc:

<cfcomponent output="false"> <cfset THIS.name = "MyApplication"> <cfset THIS.sessionManagement = true> <cfset THIS.applicationTimeout = CreateTimeSpan(0, 8, 0, 0)> <cfset THIS.sessionTimeout = CreateTimeSpan(0, 2, 0, 0)> <cfset THIS.requestTimeOut = "60">  <cffunction name="onApplicationStart" access="public" returntype="boolean" output="false"> <cfset APPLICATION.appStarted = now()> <cfset APPLICATION.title = "My Application"> <cfset APPLICATION.functions = CreateObject("component","udfs").init()> <cfset APPLICATION.sessionMinutes = 30> <cfreturn true> </cffunction>  <!--- Runs when your session starts ---> <cffunction  name="OnSessionStart" access="public" returntype="void" output="false"> <!--- Clear the session. ---> <cfset StructClear( SESSION ) /> <!--- Set loggedin flag to false. ---> <cfset SESSION.loggedin = false>  <cfreturn /> </cffunction>  <!--- Run before the request is processed. ---> <cffunction name="onRequestStart" returnType="boolean" output="false"> <cfargument name="thePage" type="string" required="true"> <cfset REQUEST.appCode = 'SPA'> <cfset REQUEST.appName = 'Single Page Application'> <cfset var page = listLast(arguments.thePage,"/")> <!---<cfset onApplicationStart()>---> <cfif !listFindNoCase("Login.cfm,Authentication.cfc",page)> <cfif !structKeyExists(SESSION, "loggedin") OR SESSION.loggedin EQ false> <cflocation url="Login.cfm" addToken="false"> </cfif> </cfif>  <cfreturn true> </cffunction> </cfcomponent>

I'm not sure if session can be ended in Application.cfc or I have to do that in my cffunctions. Same for CFID and CFTOKEN what is the best place to set new values if user logs in again? If aynone have experience with this please let me know. I'm trying to prevent user to use the same session and raise level of security in my SPA. There is one more thing that I found sessionInvalidate() method but they have mentioned that will not invalidate the underlying J2EE session. If I use this method in my LogOut and timeoutSession I can see cfid and cftoken are reset each time. I'm only worried if not ending J2EE session can cause some problems in my app. If anyone can help or provide some feed back on this topic please let me know.

This topic has been closed for replies.

1 reply

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
March 7, 2018

If user logoff or their session times out how to end coldfusion session?

You shouldn't bother about this. A session timing out is the same thing as a session ending. In any case, this is a task best left to ColdFusion. So you don't need the timeoutSession function.

What you can do is use a sessiontimeout in the usual range, say, 20 to 30 minutes. If the user is inactive in that time, then ColdFusion will time the session out and end it.

What you should be concerned about is login and logout. Remember that, should a user log in and then logout then the session may continue. But that shouldn't bother you. In fact, it shouldn't bother you, if every user were to have a session. After all, you are delivering services to users based on whether or not they are logged in, not based on sessions.

I would suggest that you add the following line to Application.cfc:

<cfset this.loginStorage = "session">

Your logout function should also formally logout the user:

<cffunction name="LogOut" access="remote" output="yes" returnformat="JSON" hint="Used in logging user out">

    <cfset var fnResults = structNew()>

    <cfset fnResults.dt = now()>

  

    <!--- crucial! --->

    <cflogout>

  

    <cfif structKeyExists(SESSION,"LoggedIn")>

        <cfset temp = structClear(SESSION)>

        <cfset fnResults.status = "200">

    <cfelse>

        <cfset fnResults.status = "400">

        <cfset fnResults.message = "Error!">

    </cfif>

    <cfreturn fnResults>

</cffunction>

M
Milos_Draca_70Author
Participating Frequently
March 8, 2018

First of all thank you for taking time to help with this topic. I use sessionTimeout function once JavaScript function detects timeout is equal to 0. Then sessionTimeout will get triggered. So what you are suggesting is to just clear the session scope and use <cflogout> ? How cflogout will affect the process? Also what about J2EE session? Is there a good way to rotate these session or that is not necessary? Also I'm trying to understand what this line of code is doing <cfset this.loginStorage = "session"> ? Thanks in advance.

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
March 8, 2018

https://forums.adobe.com/people/Milos+Draca_70  wrote

I use sessionTimeout function once JavaScript function detects timeout is equal to 0. Then sessionTimeout will get triggered.

There is no need for that. ColdFusion's built-in sessionTimeout is automatically triggered. That is, if the user is inactive within the timeout period, ColdFusion will automatically end his session.

So what you are suggesting is to just clear the session scope and use <cflogout> ?

Yes.

How cflogout will affect the process?

It logs the user out. I am presuming you logged the user in using cfloginuser. Suppose you also use loginStorage = "session". Then, throughout the session, ColdFusion will know the user's username, password and role.

When ColdFusion runs <cflogout> or when the session ends, ColdFusion deletes the username, password and role from memory. The user is no longer logged in. It's the same mechanism whatever the type of sessions you use. Session rotation or invalidation are unnecessary in the login framework.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices