Logoff user on browser close

Report · May 21, 2009

Hello,

I am trying to logoff a user on browser close but i can't figure out how to do it, i remember being able to do this using the Application.cfm but now i am using Application.cfc and i added the following code and it doesn't work. Does anyone know how to do this?

Report · May 21, 2009

First, I think you are trying to make memory cookies that expire when the browser closes. To do that you need to add the expires="now" to the cookie tags. To expire previously existing cookies. Then you rewrite them with no expires parameter to create memory, non-persistance cookies.

<cfcookie name="CFID" value="#Variables.cfid_local#" expires="now">
<cfcookie name="CFTOKEN" value="#Variables.cftoken_local#" expires="now">

Second, I'm not sure about putting this into an if block like you did. Wouldn't that only create the per-session cookies after permant cookies have been created, but it might work, I'm just not sure.

Anyways, here is Adobe's knowledge base article all about how to make session identifies expire when a browser closes.

http://kb2.adobe.com/cps/179/tn_17915.html

P.S.

It is very important that everybody who does this realizes that expiring the cookies does NOT logout the users. It expires the cookies that allow ColdFusion to know if a request from that client should belong to session data created from an earlier request from that client. So the next time this client connects to the ColdFusion server new identifying cookies are created with a new session state.

But the previous session state will continue to exist on the server waiting for new requests with the proper identifiers until the timeout setting expires the data on the server.

I.E. The broweser never tells the server it is closing so the server can not do anything on this event.

Message was edited by: Ian Skinner Updated response to correctly describe the two step process to change session state cookies into non-persistence cookies.

In Response To ilssac · May 21, 2009

Thank you for your response, i tried what you said and it does expire the session but the only thing is it keeps expiring my session as soon as i log in. I'm not sure if i'm putting it in the right place though, does it make sense to put it under the "onRequestStart" or should i try putting it somewhere else?

In Response To Deleted User · May 21, 2009

Are you following all three steps outlined in the knowlege base artilce I pointed out?

1) <cfcookie ... expires="now"> to detete any persistant cookies already in place.

2) setClientCookies="false" in the <cfapplication ...> tag or this.setClentCookies member of an Application.cfc component to tell ColdFusion to stop sending persistant cookies.

3) Manually create non-persistant cookies with new <cfcookie...> tags with no expires parameter.

The description you provide of being immediately logged out sound like you are doing one which elimites the existing cookies but NOT 3 which recreates them as non-perstant cookies.

As for doing this in onRequestStart, I would say that is not a great choice as all that will then happen each and every request. Kill old cookies then create new cookies over and over.

I would probably shoot for onSessionStart so that it happens once each new session not every request. Or at least put logic around it in the onRequstStart event so that it is only done when needed not every request.

Report · May 24, 2009

There are three things to do.

1) Tell Coldfusion not to automatically set cookies on the client. You do this by setting this.setClientCookies to "No" in Application.cfc.

2) Store login information in cookie scope. You do this by setting this.loginStorage to "cookie". Equivalently, you could leave out the attibute altogether, as the default value is cookie.

3) Set the cookies manually in onRequestStart, like this

Omitting the expires attribute makes them so-called session-only cookies. They expire when the browser closes.

Report · Jun 02, 2009

You might be able to approximate this with some JavaScript ... but offhand I would suggest that you re-think your approach.

Report · Jul 14, 2009

The solution that I have used is AJAX. I fire off an AJAX request to a coldfusion page that processes the logout. Fire off the AJAX request on Browser close. It fires off and starts processing. You no longer have to worry about it .

For example:

<html>
<head>
    <title>test</title>
    <script>
        function funcUnload(){
            var url = "http://www.yourwebsite.com/pageToClearSession.cfm";
            if (typeof XMLHttpRequest != "undefined") {
                req = new XMLHttpRequest();
            } else if (window.ActiveXObject) {
                req = new ActiveXObject("Microsoft.XMLHTTP");
            }
            req.open("GET", url, true);
        }
    </script>
</head>
<body onunload="javaScript:funcUnload();">
    Body Content Here
</body>
</html>