Highlighted

Clearing Session and/or App variables with Log-out Page?

New Here ,
Aug 17, 2014

Copy link to clipboard

Copied

Greetings

I have 3 distinct user types for my app- admins, appraisers and clients.

All have their own directories and each directory has it's own Application.cfm:

1) <cfapplication name="appraiseri"

applicationtimeout="#CreateTimeSpan(0,2,0,0)#"

clientmanagement="Yes"

sessionmanagement="Yes"

sessiontimeout="#CreateTimeSpan(0,2,0,0)#"

SetClientCookies="Yes">

2) <cfapplication name="appraiserview" ......

3) <cfapplication name="clientview" .......

Each have their own login which simply uses their ID in the DB as the session variable.

login_do.cfm:

1) Appraisers: <CFIF auth_direct_appraiser.RecordCount NEQ 0 >

<cfset Session.appraiser_user_id =auth_direct_appraiser.appraiser_ID>

<cfset Session.appraiser_fname =auth_direct_appraiser.appraiser_fname>

<cfset Session.appraiser_lname =auth_direct_appraiser.appraiser_lname>

2) Admins: <cfset Session.user_id =auth_direct.staff_ID> ......

3) Clients: <cfset Session.processor_user_id =auth_direct_processor.processor_ID>

I have had a session persisting for a week now- I have no idea how to get rid of it, and if one simply hits the "login" submit button with no UN or PW, it runs a query on a client (the same one) ?

My logout page is not working at all- if the code were correct, it would clear any session variable? I have not really set an app variable (except timeout) so no need to clear that?

Here is the code:

<CFLOCK SCOPE="Session" TYPE="Exclusive" TIMEOUT="60">

    <CFLOOP COLLECTION="#Session#" ITEM="Key">

        <CFIF NOT ListFindNoCase('IveSeenIT', Key)>

            <CFSET StructDelete(Session, Key)>

        </CFIF>

    </CFLOOP>

</CFLOCK>

<SCRIPT LANGUAGE="JavaScript">

    alert("You have been logged out from the XXXXX Intranet")

    location.href='login.cfm';

</SCRIPT>

Any help would be appreciated- this is leaving a huge security gap in the app right now.

Thanks

TOPICS
Advanced techniques

Views

282

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Clearing Session and/or App variables with Log-out Page?

New Here ,
Aug 17, 2014

Copy link to clipboard

Copied

Greetings

I have 3 distinct user types for my app- admins, appraisers and clients.

All have their own directories and each directory has it's own Application.cfm:

1) <cfapplication name="appraiseri"

applicationtimeout="#CreateTimeSpan(0,2,0,0)#"

clientmanagement="Yes"

sessionmanagement="Yes"

sessiontimeout="#CreateTimeSpan(0,2,0,0)#"

SetClientCookies="Yes">

2) <cfapplication name="appraiserview" ......

3) <cfapplication name="clientview" .......

Each have their own login which simply uses their ID in the DB as the session variable.

login_do.cfm:

1) Appraisers: <CFIF auth_direct_appraiser.RecordCount NEQ 0 >

<cfset Session.appraiser_user_id =auth_direct_appraiser.appraiser_ID>

<cfset Session.appraiser_fname =auth_direct_appraiser.appraiser_fname>

<cfset Session.appraiser_lname =auth_direct_appraiser.appraiser_lname>

2) Admins: <cfset Session.user_id =auth_direct.staff_ID> ......

3) Clients: <cfset Session.processor_user_id =auth_direct_processor.processor_ID>

I have had a session persisting for a week now- I have no idea how to get rid of it, and if one simply hits the "login" submit button with no UN or PW, it runs a query on a client (the same one) ?

My logout page is not working at all- if the code were correct, it would clear any session variable? I have not really set an app variable (except timeout) so no need to clear that?

Here is the code:

<CFLOCK SCOPE="Session" TYPE="Exclusive" TIMEOUT="60">

    <CFLOOP COLLECTION="#Session#" ITEM="Key">

        <CFIF NOT ListFindNoCase('IveSeenIT', Key)>

            <CFSET StructDelete(Session, Key)>

        </CFIF>

    </CFLOOP>

</CFLOCK>

<SCRIPT LANGUAGE="JavaScript">

    alert("You have been logged out from the XXXXX Intranet")

    location.href='login.cfm';

</SCRIPT>

Any help would be appreciated- this is leaving a huge security gap in the app right now.

Thanks

TOPICS
Advanced techniques

Views

283

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 17, 2014 0
BKBK LATEST
Adobe Community Professional ,
Aug 20, 2014

Copy link to clipboard

Copied

It in unnecessary to delete session keys to invalidate them. With proper coding they should be invalidated once the session times out.

Sessiontimeout values are usually around half an hour and applicationtimeout values are usually of the order of 1 day. Also, one way to relate session to login is to use the loginStorage attribute. If you have no need for client management, switch it off.

Hence, for example,

<cfapplication name="appraiseri"

applicationtimeout="#CreateTimeSpan(1,0,0,0)#"

clientmanagement="no"

sessionmanagement="Yes"

sessiontimeout="#CreateTimeSpan(0,0,30,0)#"

SetClientCookies="Yes"

loginStorage="session">

I am assuming that, for login and logout pages, you will - ignoring the details - have something like

Login:

<cflogin>

        <cfloginuser name = "some_name" password = "some_password"   roles = "appraiser"/>

</cflogin>

Logout:

<cflogout>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 20, 2014 0