Someone posted to the CF-Talk list that they were having an issue with session management. If the user clicked the logout button/link they were logged out successfully but if they just closed the browser and then tried log in again
they were not logged in correctly because the code between the
This is normal behavior in this case because the cfid and cftoken used to identify a session still exists on the clients machine even if they close the browser.
The 'issue' is that when setting up your application Coldfusion automatically sets the setClientCookies= true, this creates the session cookies on the client machine. Additionally these cookies have an expiry date set to the year 2037 by default, so when a user closes the browser their session isn't automatically expired. This means that any code that you have between the
To ensure that a user is logged out when the browser is closed you can do two things.
- You can enable J2EE session management in the CF Administrator. Select the menu item Memory Variables and then check the box next to Use J2EE session variables. Make sure that "Enable Session Variables" is also checked.
- You can set up your application to use session cookies by:
- setClientCookies = False this will force Coldfusion NOT to write the cfid and cftoken as cookies, which also means that you need to do it yourself.
- Write the cfid and cftoken as session cookies
<cfif not IsDefined("Cookie.CFID")>
<CFLOCK SCOPE="SESSION" TYPE="READONLY" TIMEOUT="5">
<CFCOOKIE NAME="CFID" VALUE="#SESSION.CFID#" >
<CFCOOKIE NAME="CFTOKEN" VALUE="#SESSION.CFTOKEN#" >
There are some definite benefits to using J2EE session over Coldfusion session Management (from the CF8 Documentation):
- J2EE session management uses a session-specific session identifier, jsessionid, which is created afresh at the start of each session.
- You can share session variables between ColdFusion pages and JSP pages or Java servlets that you call from the ColdFusion pages.
- The Session scope is serializable (convertible into a sequence of bytes that can later be fully restored into the original object). With ColdFusion session management, the Session scope is not serializable. Only serializable scopes can be shared across servers.
My suggestion would be to use J2EE session management instead of Coldfusion session management because it is more secure and give you more options (mixed environment, clustering).
*NOTE: I posted about session cookies back in August but didn't mention the alternative J2EE session management so part of this is a repeat of my earlier post. It seems to pop up on a regular basis though :)
No recent entries.