Multiple session timeouts for remote functions

Report · Sep 03, 2020

Coldfusion Session Timeout:

Been reading through numerous posts regarding this.sessiontimeout and how to adjust it depending on who/what is running. For instance, My users log in, and I want their sessions to end in 10 hours (I know, but I have people who don't do anything for hours and don't want to have to log back in). I have a program that runs, and I need those sessions to end in 5 seconds of inactivtity (or I end up with hundreds of sessions showing up on fusionreactor).

Reading through the various articles, I'm getting mixed messages.

So, my question....
If I invoke a remote CFC from another server, it creates a session. If I put at the top of the Application.cfc

<cfif findnocase(ListLast(CGI.SCRIPT_NAME, "/"), "Viewall") gt 0>
     <cfset this.sessiontimeout = CreateTimeSpan(0,0,0,5)>
</cfif>

Did I just set the sessiontimeout for EVERYONE or just for that "Viewall" call?

REALLY, thank you for your time.

Report · Sep 03, 2020

Hello, Ed,

According to Adobe Help, the "this" scope is for the user session.

Life span, as a real number of days, of the user session, including all Session variables. Use the CFML CreateTimeSpan function to generate this variable's value.

~~So, if the remote call creates a new session, then you should be limiting the session for just that remote call. This is not gospel, this is my best guess.~~

V/r,

^ _ ^

UPDATE.. I may have read your question wrong. The current user session is making a remote call, not the other way around. So, yes, you'd be setting a timeout for that user's session.

Report · Sep 06, 2020

I thank you for your insight. I implemented the change and it appears to be working as I had hoped it would - timing out just the one session.

Report · Sep 07, 2020

Please note: this.sessionTimeout is an application setting, not a session setting or user setting.

Report · Sep 07, 2020

Changing it, though, doesn't appear to time out sessions currently in progress. Since every request activates this setting (whether for a long or short period ot time), it ACTS like a session setting. For example, process A sets the this.sessiontimeout to 10 hours and starts running. Processes B, C, and D set the this.sessiontimeout to 2 seconds. and starts processing. Session A is never affected while B, C, and D start and finish their session. E sets a long one and starts ....

Is there something I"m missing? Is there a better way to do this?

Report · Sep 07, 2020

This.sessionTimeout is the maximum length of time a user may be inactive, before ColdFusion terminates the session. Your initial description shows you're aware of this.

I therefore do not understand why you go on to say that processes B, C and D "start and finish their session" after 2 seconds. They don't necessarily. Not if they remain continually active on the application. In other words, even if they set this.sessionTimeout to 2 seconds, their session could carry on for hours, days or even months.

This.sessionTimeout is simply the amount of time a user is allowed to be idle, before ColdFusion considers him absent. It is an efficiency measure. There is no need for ColdFusion to reserve memory resources for a user who has gone away.

That explains why this.sessionTimeout is designed as an application setting, not a per-user setting. And it is like that, not only for ColdFusion, but for every application server.

Granted, ColdFusion is weakly-typed and you can make it do weird things. But such undocumented approaches are unpredictable and risky. As a result, you could one day discover that your application hadn't been behaving as you intended.

I can think of the following solution to your problem:

1) Log users in using cflogin;

2) Use the application setting: <cfset this.loginStorage="session">;

3) In onRequestStart or onCFCRequest, for example, do:

Report · Sep 06, 2020

<!--- 
Sets the session time-out to 5 seconds for EVERY user 
of the application 
--->
<cfset this.sessiontimeout = CreateTimeSpan(0,0,0,5)>

<!--- 
Sets or changes the session time-out to 5 seconds for EVERY user of 
the application, once some user requests a page containing "Viewall"
--->
<cfif findnocase(ListLast(CGI.SCRIPT_NAME, "/"), "Viewall") gt 0>
     <cfset this.sessiontimeout = CreateTimeSpan(0,0,0,5)>
</cfif>

Report · Sep 08, 2020

If you create a sub directory with the CFC containing the remote functions and also have a separate Application.cfc, with the shorter session requirements in the same sub directory, any calls to the remote functions will use the new Application.cfc and not affect the main application. The Application.cfc in the sub directory will need to specify a different application id.