How can you tell if a session has expired

Report · Aug 27, 2008

How can you tell if a users session has expired based on the session time out in the <cfapplication> tag?

<cfapplication name = "test"
clientmanagement = "Yes"
sessionmanagement = "Yes"
setclientcookies = "Yes"
sessiontimeout = "#CreateTimeSpan(0, 0, 3, 0)#"
applicationtimeout = "#CreateTimeSpan(0, 0, 3, 0)#">

A user logs into the site, pulls up some page and then doesn't come back to that page for 10 minutes. Is there a way to direct this user to a session time out page? It seems that once a user times out, you don't know if that user has already been to the site or if they are a new user hitting the site for the first time.

I basically want a user who has previously logged into the site, and who has timed out, be redirected to a session time out page, but a new user would be directed to a login page. I just can't figure out how to determine if a user has logged in and timed out versus a new login.

Report · Aug 27, 2008

A couple of layers can be applied to this.

On the server you can put code into place that detects if a given
session variable is defined on pages that only logged in users can view.
If this variable is undefined that was created when the user logged
in, then redirect the request to your session expired page.

You can combine this with a javascript layer on the client that uses a
timer set to about the same as the session timeout that will redirect
the user upon the specified time. As long as the user has JavaScript
enabled of course.

Report · Aug 28, 2008

At time out, it is difficult to use session variables (not discussing cookies here) to differentiate between a logged-in user and others. All your session variables will time out if not kept alive at this point.
It is advisable to screen out users who are not logged-in from sensitive pages. This makes our task manageable.
Now to the task!

Option 1
Put the session check and redirection at the top of the template. In this case, users who are not logged in, as well as users whose sessions have timed out, will be redirected to the login page.
<cfif not isDefined("session.memberId")>
<cflocation url="loginPage.cfm" />
<cfabort /> 
</cfif>

Option 2
Allow only logged-in users to get to the specified pages.
When the session time-out kicks in, say after 3 minutes, any action on the page will trigger the getAlert(). The function asks the user to click OK to keep the session alive. If the user clicks cancel, he/she will be redirected to the login page (or as desired).
As stated earlier by Ian, set the timer - setTimeout() – to about same time as the session timeout period.

<script type="text/javascript">

</script>
<cfif not isDefined("session.memberId")>
<script language="JavaScript">
getAlert();
</script>
</cfif>