application logout and session clearing

Report · May 19, 2011

i have a logout button that deletes the user session variables and brings them to the login screen again. it runs this if statement (i found this somewhere on the internet years ago)

why shouldn't i also delete the CFID and CFTOKEN. aren't those associated with the user login? i notice in my CFADMIN server monitor for CF8 that even if a user logs out... they show as an active session in the cfmonitor until the 45 min session clears (i set it to 45 min in the application.cfc). i want them to be completely logged out with no trace and if they log back in get a new CFID and CFTOKEN... maybe someone can tell me why this could be a bad thing?

Report · May 19, 2011

BosDog wrote:
shouldn't i also delete the CFID and CFTOKEN. aren't those associated with the user login?

Tagently, yes. The CFID and CFTOKEN (and|or the JSESSIONID) values are how ColdFusion maintains state with a client browser. Without this, there would be no way to know what client requests belong to any previous client request.

If you want to delete these, then you can, I beleive. But I don't think it is necessary, if you have already removed any state data that indicated a given user was logged in.

It is fairly common to make the CFID and CFTOKEN memory session cookies (so they are deleted when a browser is closed) rather then the default permanent cookies that they are. JSESSIONID is a memory session cookie by default.