Persistent session variables?????????? 2

[rmcweb]

I am new to ColdFusion so hopefully this is a trivial problem: I have an application in ColdFusion 4.5 that is supposed to do simple user authentication, and it uses session variables to capture user sessions, but they persist even after closing the browser. The result is that the session variable intended to keep track of whether or not a user is logged on is always inaccurate after the first user even after closing the window, because it is always defined and it retains the information of the previous user. Here is the relating code:
<cfapplication sessionmanagement= &quot;yes&quot; clientmanagement= &quot;yes&quot;>
<cfset session.name= &quot;#form.name#&quot;>
Later in the code, #IsDefined(session.name)# is only false if the user is the first one to access the application. After that it's always true even after the window had been closed.
Does anyone understand why this might be? Thanks

 

[JHoarty]

Don't see anything obviously wrong, but you might try using a cfparam in your application file:

<cfparam name=&quot;session.name&quot; default=&quot;&quot;>

Then, you can test for

session.name NEQ &quot;&quot; or
NOT session.name IS &quot;&quot; John Hoarty
jhoarty@quickestore.com

http://www.quickestore.com

 

[GunJack]

Hey rmcweb,

Session variables are associated with a CFID/CFTOKEN combination which CF assigns automatically. This pair of numbers is generated on the first request and then stored as cookies on the visitor's browser. If they close out the browser and come back, the browser will send the CFID/CFTOKEN cookies and the CF server will find the session variables associated with this pair. If you want the session to die when the visitor closes their browser, add the line

setclientCookies=&quot;no&quot;

to your cfapplication tag. This will stop CF from storing the cookies on the visitors browser. This means though that you have to keep track of and pass these along manually so that the session remains intact between page views. This isn't hard as you just have to pass them in as url variables on every link or form submission like this.

<cfoutput>
<a href=&quot;page1.cfm?cfid=#cfid#&cftoken=#cftoken#&quot;>Page 1</a>

<form method=&quot;post&quot; action=&quot;Page2.cfm?cfid=#cfid#&cftoken=#cftoken#&quot;>
</cfoutput>

Just remember that they have to be passed as url variables so you can't make them hidden form variables.

Hope this helps,
GJ

 

[rmcweb]

Thanks for your help GunJack, it proved useful! I have also discovered another approach that only requires a couple of lines of extra code. The <cfcookie> tag defines client browser cookie variables whose default state is to be removed from memory once the browser is shut down. So when I reset the #session.cfID# and #session.cfToken# variables as cookie variables while setting setclientcookies=no, that also did the trick. The code would be something like <cfcookie name=cfid/cftoken value= #session.cfid#/#session.cftoken#>, and it probably should be on a separate page from where the session variables are actually declared since the variables would have a different sessionID otherwise.
Cheers
rmcweb