Security issue

[thysonj]

I have a security issue here..
My application requires a login/pw. I can login with no problem and I can perform procedures with no problem. the problem occurs when I logout. The logout takes me back to the index.cfm page which it is supposed to do. Now if I try to access a page within a layer of security by simply typing it in it will not stop me. It allows me to continue as if I had logged in. If I reload any page within the security layer then it will realize I have not logged in and kick me back to index.cfm where I am supposed to go when I go to page I should not have acces to. It seems to me it is using a cached copy of the pages maybe???? What is a procedure to kake sure everytime you go to a page you have proper access?
I will post some code if needed..

 

[thysonj]

Hello?

 

[tleish]

I'd first try keeping the cache clear having this code execute with every page request in the "logged in" area.

<CFSET gmt = gettimezoneinfo()>
<CFSET gmt = gmt.utcHourOffset>
<CFIF gmt EQ 0>
<CFSET gmt = &quot;&quot;>
<CFELSEIF gmt GT 0>
<CFSET gmt = &quot;+&quot; & gmt >
</CFIF>
<CFHEADER NAME=&quot;Pragma&quot; VALUE=&quot;no-cache&quot;>
<CFHEADER NAME=&quot;Cache-Control&quot; VALUE=&quot;no-cache, must-revalidate&quot;>
<CFHEADER NAME=&quot;Last-Modified&quot; VALUE=&quot;#DateFormat(now(), 'ddd, dd mmm yyyy')# #TimeFormat(now(), 'HH:mm:ss')# GMT#gmt#&quot;>
<CFHEADER NAME=&quot;Expires&quot; VALUE=&quot;Mon, 26 Jul 1997 05:00:00 GMT&quot;> - tleish

 

[kjeff215]

Along that same line of security, is there any way to destroy a session on the server once someone logs out. Currently I nullify all session variables on logout but my superiors want to destroy the sessions to insure security and to free up memory on the server(this way we dont have to wait for the timeout)

Help please

 

[SidianConsulting]

You can use:

<cflock scope=&quot;session&quot; type=&quot;exclusive&quot; timeout=&quot;3&quot;>
<cfset rs = StructClear(session)>
</cflock>

to clear the user's session from the server memory after they click the logout button. CF doesn't allow you to set variables to a NULL value, per se, or to NOTHING like in ASP. You can delete variables that are in structures, though, so the StructClear() function works well for clearing session variables. In CFMX, even the VARIABLES scope is (finally) a structure.

-Tek

 

[kjeff215]

Teknology,

So I would have to first put each session variable I use throughout the application into a struct(some of these are actually predefined while some of them are defined as users step through the site). Another question, can the &quot;value&quot; inside of a StructInsert be a session.variable

eg. StructInsert(session, &quot;ID&quot;, session.id);

thanks in advance

 

[SidianConsulting]

The session scope is a structure, so you don't have to create another one to hold your session variables. When you StructClear(session), it clears all of the session variables assigned to that user (based on their cfid and cftoken values), which is why you need to EXCLUSIVELY lock this command.

I don't think I ever tried writing to the session scope using StructInsert. Give it a try and then you'll know -- just remember to use a cflock with a type=&quot;exclusive&quot; attribute.

-Tek

 

[kjeff215]

Tek

Its working beautifully. Just two more questions for you.
Is there a function that will list all session.variables within the session structure. I wanted to create an admin page that would allow administrators to actually see what variables they have picked up along the way so that on logout they can see that the struct has been wiped clean and initialized back to the original session parameters.

Oh and what does the &quot;rs&quot; mean in the <cfset rs= StructClear(session) statement? (maybe sometime of reserved word/command, forgive my ignorance)

thank you kind guru

 

[kjeff215]

Tek

Its working beautifully. Just two more questions for you.
Is there a function that will list all session.variables within the session structure. I wanted to create an admin page that would allow administrators to actually see what variables they have picked up along the way so that on logout they can see that the struct has been wiped clean and initialized back to the original session parameters.

Oh and what does the &quot;rs&quot; mean in the <cfset rs= StructClear(session) statement? (maybe sometime of reserved word/command, forgive my ignorance)

thank you kind guru

 

[SidianConsulting]

Hi,

The rs is just a programmatic way of assigning a temp variable (in this case rs stands for result) to the result of the function. You could also just do:

<cfset StructClear(session)>

It's just a matter of choice; I just assign the result to a variable for clarity's sake, but you don't have to.

As for your other question, since the Session scope is a structure, you can use cfloop to output the contents:

<cfoutput>
<cfloop collection=&quot;#Session#&quot; item=&quot;ThisVar&quot;>
#ThisVar# = #Session[ThisVar]#<br>
</cfloop>
</cfoutput>

-Tek