However, I still cannot get the session variables to timeout when the
browser is still open. I even set the seesionTimeout attribute to 15
seconds and I can still navigate the application all day long without being
required to re-login.
Any thoughts on what might cause this?
Thanks
-- Jeff
_____
From: Pascal Peters [mailto:[EMAIL PROTECTED]
Sent: Monday, May 31, 2004 3:52 AM
To: CF-Talk
Subject: RE: Application Security Confusion
Jeff,
They have to die at sessiontimeout, but NOT when you close your browser
(if you are using CF sessions on CFMX or a lower version). If you use
J2EE sessions in CFMX, the session will end if you close all browser
windows.
Without seeing code, I can't imagine why the session would persist after
the specified timeout. You could try and debug by doing a <cfdump
var="#session#"> right after the cfapplication tag. This way you can see
if the session really exists, or if your code recreates it or something
of the kind.
Pascal
> -----Original Message-----
> From: Jeff Chastain [mailto:[EMAIL PROTECTED]
> Sent: maandag 31 mei 2004 2:11
> To: CF-Talk
> Subject: Application Security Confusion
>
> Ok, I must really be missing something obvious, because this
> makes no sense.
>
> I have an application that has security setup and tracked via session
> variables. The cfapplication tag has the setClientCookies
> attribute set to
> true, and the sessionTimeout attribute has a createTimeSpan
> value of 0,0,15,0 which I thought was 15 minutes (I am
> questioning most everything I
> knew now). At the beginning of each secure page, there is
> an isDefined
> check to see if a session structure userAuth exists. If so,
> then further checks are done to check for valid permissions -
> if not, the user is sent to the login screen.
>
> When I first load the application, I get sent to the login screen as
> expected. However, if I leave my browser window open with
> no activity for
> 30 minutes, I find I can still navigate the secure pages
> without having to
> log in again. What is even weirder is that I can close all
> of my browser
> windows, load a new browser window and go directly to a
> secure url in the site without having to log in again.
>
> I am beginning to question everything I knew about session
> variables, but I thought they were supposed to time out and
> die automatically based upon the sessionTimeout attribute of
> the cfapplication tag and they always died immediately upon
> closing the browser.
>
> My session variables won't die!
>
> Thanks for any pointers.
> -- Jeff
>
>
>
>
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
