Questions about session variables...

[Ross1811]

Hi everyone,

When I use the struct delete function in coldfusion and the cflogout tag when trying to close a session it does not destroy my variables. The weird thing is that it works at my office but not at my home computer, dont really know what is happening with it. Any ideas on why it would work one place not the other. Should I maybe in my session management have the client take care of that stuff? I tried making the sites zones the same in both places but without success of showing me the true problem.

Thanks,
Ross

 

[GubaGuba]

Hi Ross, this is Guba.

The problem is that a session is a very sneaky object. Also the ColdFusion Client-Server architecture is a little bit more complicate that it may seem.

A session is composed by a dataset which is identified by CFID and CFTOKEN values. These values are stored also in some cookies (see the setting of your Application.cfm)on the client application.

If you destroy the session but not the cookies that contain the session identifier, at the next request you do - for ex. a new log-in template because you're out or something like this - the server asks for (as always it does) these cookies to the browser, and the browser gives these cookies back to the server!

So because the server has no active session with those identifiers, it creates a new session with THOSE identifiers! Remember the old motto "not to throw away anything" ?

But it seems that this new session is the old one, still alive. But it is not! It is a new one, created with the old CFID and CFTOKEN identifiers, re-used again.

In simple words, you must kill also the cookies with this simple code:

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfset cfid_local = Cookie.CFID>
<cfset cftoken_local = Cookie.CFTOKEN>
<cfcookie name="CFID" value="#cfid_local#" expires="now">
<cfcookie name="CFTOKEN" value="#cftoken_local#" expires="now">
</cfif>

and this must be done as the very last thing to do before to execute the html of a log-in page or a home page with a log-in feature.
Put it after the session structure kill and just before the <HTML> declaration.

I put this into my home-pages with log-in features, to be sure that if a new log-in takes place, it is done with fresh session ID cookies.

Hope this helps.

Guba

 

[Ross1811]

Thanks Guba,

It seems to work not since I deleted the cookies that I did not know I had. This is a great place for information filled by great members,


Thanks again,

Ross

 

[coldfused]

The thing I don't understand is (and please forgive my newbie ignorance) after doing the suggested above and deleteing the session why are you still able to use the back button to get back into the page before the logout.cfm that kills the session?

If the session is killed on the logout .cfm with:

<cfset StructDelete(Session, "SessionName")>
<cflocation url="redirectionpage.cfm" addtoken="yes">

----------------------------------------
Florida Web Design
Orlando Web Hosting
Florida Coldfusion Hosting

 

[TruthInSatire]

the way the back button works is almost evil. It doesn't "refresh" the content from the server (no requests are made), it brings it back from the browsers memory. Remember, CF just produces text to the browser. clicking back shows the html that was generated, it doesn't do any server processing. if you click any nav links on the page prior to "logout.cfm" after you delete the session and click back, you should be redirected to the login page. because that's when the browser actually makes the request.

You may be able to do some "no cache" tricks but someone else will have to help with that.

Beware of programmers who carry screwdrivers.