Yes, that's what I'd do. Chris Norloff
>Maybe some sort of cookie test at login, if cookie.cfid exists delete and reset it? > ---------- Original Message ---------------------------------- from: "Matt Robertson" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Thu, 20 Jun 2002 12:46:21 -0700 >Is there any workable way to determine whether or not a stored cookie exists, delete >it and thus pave the way for transitioning a repeat visitor from stored to session >cookies? > >I ask because it seems at first glance the code below will fail if a user already has >a cookie planted on their system. > >Maybe some sort of cookie test at login, if cookie.cfid exists delete and reset it? > >--------------------------------------- >Matt Robertson [EMAIL PROTECTED] >MSB Designs, Inc., www.mysecretbase.com >--------------------------------------- > > >---------- Original Message ---------------------------------- >from: "Derrick Rapley" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >date: Thu, 20 Jun 2002 12:21:43 -0400 > >Here are some suggestions. > >First you want to use "Session" Cookies. They reside in memory and are >deleted when all instances of a browser are closed. > >Here is how I do it in Application.cfm (fbx_Settings.cfm for Fusebox users): > ><cfapplication NAME="AppName" CLIENTMANAGEMENT="Yes" SESSIONMANAGEMENT="Yes" >SETCLIENTCOOKIES="NO"> > ><cfif NOT IsDefined("cookie.cfid")> ><cfcookie name="CFID" value="#client.CFID#"> ><cfcookie name="CFTOKEN" value="#client.CFTOKEN#"> ></cfif> > >Also, I typically check to see if a session variable exists to make sure a >session times out (you can include this at the top of each template, in >Fusebox I include it in fbx_Switch before any of the cases are checked): > ><cflock TIMEOUT="30" THROWONTIMEOUT="No" SCOPE="Session" TYPE="exclusive"> ><cfset sessionActive=IsDefined("session.someVariable")> ></cflock> > ><cfif NOT variables.sessionactive> ><cflocation url="index.cfm?fuseaction=login.timeout"> ></cfif> > > >When a user logs out, you can just use the StructClear() function to remove >all the session variables for a user. > ><cfset StructClear(session)> > > >That should do it for you. > >Regards, > >Derrick Rapley > > >-----Original Message----- >From: Mike Kear [mailto:[EMAIL PROTECTED]] >Sent: Thursday, June 20, 2002 10:55 AM >To: CF-Talk >Subject: RE: Killing Client vars session on closing browser. > > >Well I can hardly expect all my users (specially potentially malicious ones) >to be deleting anything from their harddrive. I'm trying to write a >password access system here. The thing has to be designed to work under >normal conditions, not exceptional ones. > >Once I'm logged out I want to be OUT. That means when users click on the >"logout" button, Time out through inactivity, or close their browser. >All 3 of those events should make sure I can't get back to the secure areas >without providing a valid username/password combination. > > >But as Kym said, the CFID/CFTOKEN combination could well be the same when >it's issued a second time to the same person/ip address. Just unique at >any one moment. > > > >Cheers, >Mike Kear >Windsor, NSW, Australia >AFP WebWorks > > >-----Original Message----- >From: Chris Norloff [mailto:[EMAIL PROTECTED]] >Sent: Thursday, June 20, 2002 11:55 PM >To: CF-Talk; [EMAIL PROTECTED] >Subject: RE: Killing Client vars session on closing browser. > >Have you deleted all cookies on your harddrive from that server? I thought >I had and some were left over from some other implementation. The CFserver >was still using the CFID/CFTOKEN from the stored cookies I didn't know I >had. > >Chris Norloff > >---------- Original Message ---------------------------------- >from: "Mike Kear" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >date: Thu, 20 Jun 2002 12:11:38 +1000 > >>Ok, here's another part of the mystery .... how could this be? >> >>I closed all copies of all browsers. I used SQL Query Analyser to go to >the >>CDATA table and delete the records relating to my client session. Then I >>opened my browser and went to the protected page. As expected I was sent >to >>the login page. So far so good. >> >>But when I completed logging in, the CFID and CFTOKEN were the same as the >>one I had just deleted!! I didn't believe what I was seeing, so I did it >>again a couple more times. Same result. I thought the CFIDs and >CFTOKENS >>were supposed to be unique and never reused. >> >>What gives? How can I log in fresh and get the same CFID and CFTOKEN as I >>had before? >> >>(If it's relevant, we're using CF5 and my browsers are IE6.0.26, and >NN4.75, >>and NN6.2.2) >> >> >>Cheers, >>Mike Kear >>Windsor, NSW, Australia >>AFP WebWorks >> >>-----Original Message----- >>From: Matthew Friedman [mailto:[EMAIL PROTECTED]] >>Sent: Thursday, June 20, 2002 11:22 AM >>To: CF-Talk >>Subject: RE: Killing Client vars session on closing browser. >> >>Mike here is a thought and this works for a project that I did. >> >>Open you site in a framed environment >>Frame one is 100% and this is where your application runs >> >>Have a hidden frame that is a simple html page with an onclose() function >to >>call a page logout.cfm >> >>In logout run a query to delete your client variables from the database >that >>you have designated >> >><CFQUERY NAME="remove_client_session" DATASOURCE="session_varibles"> >>delete >>from dbo.CDATA >>where cfid = '#cookie.cfid#:#cookie.cftoken#' >>and app = '<cfapplication name=''>' - this is the name from the >>cfapplication page that you are using for the client vars. >></CFQUERY> >> >>then close the browser page with a JavaScript. >> >>This will guarantee that you have deleted the client vars from the time the >>user logs off. >> >>You will need to take this Idea on step furture to make sure that the user >>does not open the page outside of the framed enivorment and that can be >done >>with some simple javascripting. >> >>Matt Friedman >> >> >>-----Original Message----- >>From: Mike Kear [mailto:[EMAIL PROTECTED]] >>Sent: Wednesday, June 19, 2002 8:40 PM >>To: CF-Talk >>Subject: RE: Killing Client vars session on closing browser. >> >> >>Yes, thanks Rob. That was my understanding of it too. And I had already >>used that code to convert CFID and CFTOKEN to memory cookies. But now, 8 >>hours after I closed my browser, I just came back on line, opened my >browser >>again, and I was still logged in with the same CFID and CFTOKEN. So the >>client vars didn't time out, and they didn't disappear when not only did I >>close down my browser but I closed down my whole system for the night. >> >>That's why I asked the question. I didn't want to go over old ground, but >>half a dozen people have told me exactly the same thing - use that snippet >>to convert the cookies to in-memory cookies. BUT IT DOESN'T WORK FOR MY >>CASE. That's the problem. I don't know why. If you look at my original >>question ( re-posted below) you'll see that's what I originally said. >> >>Does that only apply to session variables? Because I'm using CLIENT Vars >>(it's a long story, just take it from me that client vars is the way we >>have to go) Or have I missed something? >> >> >> >>-----Original Message----- >>From: Rob Baxter [mailto:[EMAIL PROTECTED]] >>Sent: Thursday, June 20, 2002 4:04 AM >>To: CF-Talk >>Subject: RE: Killing Client vars session on closing browser. >> >>Correct me if I'm wrong, but I believe that eliminating a user's session id >>(aka CFID and CFTOKEN) will have the effect of orphaning their Client data. >>In other words, if you make sure that no users have persistant session >>cookies, when they close the browser, they will lose their CFID and CFTOKEN >>values which are used to hash their Client variables. If they return to >your >>site in a new browser instance, they should be issued a new CFID and >CFTOKEN >>pair, which effectively gives them a whole new Client variable space. Of >>course you should probably have your Client variables expire fairly >>frequently in this scenario. >> >>I believe some has already posted the code you can put in Application.cfm >>which will convert your CFID and CFTOKEN cookies from persistant cookies to >>in-memory cookies. >> >></rob> >> >>-----Original Message----- >>Here's what I originally asked: >>At 07:51 AM 6/19/02, you wrote: >>>I'm maintaining state using CLIENT vars, and I want to have the session >die >>>when the user closes his browser. >>> >>>I know how to kill SESSION vars by setting the CFID and CFTOKEN cookies to >>>expire, but that doesn't apply to client vars does it? In any case, >when >>>I close my browser and open it again, the CFID and CFTOKEN is still alive. >>>I'm still logged in and when I display the CFID and CFTOKEN on the page, >>>they're the same. (Yes, I have refreshed the browser) >>> >>>Here's my <CFAPPLICATION tag: >>> >>><cfapplication >>> name="appname" >>> clientmanagement="Yes" >>> clientstorage="datasource" >>> setdomaincookies="Yes" >>> APPLICATIONTIMEOUT="#CreateTimeSpan(0,0,45,0)#"> >>> >>> >>>And here's the following few lines in the application.cfm which set the >>>cookies: >>> >>><cfif IsDefined( "Cookie.CFID" ) AND IsDefined( "Cookie.CFTOKEN" )> >>> <cfset localCFID = Cookie.CFID> >>> <cfset localCFTOKEN = Cookie.CFTOKEN> >>> <cfcookie name="CFID" value="#localCFID#"> >>> <cfcookie name="CFTOKEN" value="#localCFTOKEN#"> >>></cfif> >>> >>> >>What am I missing? >> >> >>Cheers, >>Mike Kear >>Windsor, NSW, Australia >>AFP WebWorks >> >> >> >> >> >> >> >> > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists