Yes, that's what I'd do.

Chris Norloff

>Maybe some sort of cookie test at login, if cookie.cfid exists delete and reset it?
>

---------- Original Message ----------------------------------
from: "Matt Robertson" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
date: Thu, 20 Jun 2002 12:46:21 -0700

>Is there any workable way to determine whether or not a stored cookie exists, delete 
>it and thus pave the way for transitioning a repeat visitor from stored to session 
>cookies?
>
>I ask because it seems at first glance the code below will fail if a user already has 
>a cookie planted on their system.
>
>Maybe some sort of cookie test at login, if cookie.cfid exists delete and reset it?
>
>---------------------------------------
>Matt Robertson    [EMAIL PROTECTED]
>MSB Designs, Inc., www.mysecretbase.com
>---------------------------------------
>
>
>---------- Original Message ----------------------------------
>from: "Derrick Rapley" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>date: Thu, 20 Jun 2002 12:21:43 -0400
>
>Here are some suggestions.
>
>First you want to use "Session" Cookies. They reside in memory and are
>deleted when all instances of a browser are closed.
>
>Here is how I do it in Application.cfm (fbx_Settings.cfm for Fusebox users):
>
><cfapplication NAME="AppName" CLIENTMANAGEMENT="Yes" SESSIONMANAGEMENT="Yes"
>SETCLIENTCOOKIES="NO">
>
><cfif NOT IsDefined("cookie.cfid")>
><cfcookie name="CFID" value="#client.CFID#">
><cfcookie name="CFTOKEN" value="#client.CFTOKEN#">
></cfif>
>
>Also, I typically check to see if a session variable exists to make sure a
>session times out (you can include this at the top of each template, in
>Fusebox I include it in fbx_Switch before any of the cases are checked):
>
><cflock TIMEOUT="30" THROWONTIMEOUT="No" SCOPE="Session" TYPE="exclusive">
><cfset sessionActive=IsDefined("session.someVariable")>
></cflock>
>
><cfif NOT variables.sessionactive>
><cflocation url="index.cfm?fuseaction=login.timeout">
></cfif>
>
>
>When a user logs out, you can just use the StructClear() function to remove
>all the session variables for a user.
>
><cfset StructClear(session)>
>
>
>That should do it for you.
>
>Regards,
>
>Derrick Rapley
>
>
>-----Original Message-----
>From: Mike Kear [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, June 20, 2002 10:55 AM
>To: CF-Talk
>Subject: RE: Killing Client vars session on closing browser.
>
>
>Well I can hardly expect all my users (specially potentially malicious ones)
>to be deleting anything from their harddrive.  I'm trying to write a
>password access system here.    The thing has to be designed to work under
>normal conditions, not exceptional ones.
>
>Once I'm logged out I want to be OUT.  That means when users click on the
>"logout" button,  Time out through inactivity, or close their browser.
>All 3 of those events should make sure I can't get back to the secure areas
>without providing a valid username/password combination.
>
>
>But as Kym said,  the CFID/CFTOKEN combination could well be the same when
>it's issued a second time to the same person/ip address.   Just unique at
>any one moment.
>
>
>
>Cheers,
>Mike Kear
>Windsor, NSW, Australia
>AFP WebWorks
>
>
>-----Original Message-----
>From: Chris Norloff [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, June 20, 2002 11:55 PM
>To: CF-Talk; [EMAIL PROTECTED]
>Subject: RE: Killing Client vars session on closing browser.
>
>Have you deleted all cookies on your harddrive from that server?  I thought
>I had and some were left over from some other implementation.  The CFserver
>was still using the CFID/CFTOKEN from the stored cookies I didn't know I
>had.
>
>Chris Norloff
>
>---------- Original Message ----------------------------------
>from: "Mike Kear" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>date: Thu, 20 Jun 2002 12:11:38 +1000
>
>>Ok, here's another part of the mystery .... how could this be?
>>
>>I closed all copies of all browsers.  I used SQL Query Analyser to go to
>the
>>CDATA table and delete the records relating to my client session.   Then I
>>opened my browser and went to the protected page.  As expected I was sent
>to
>>the login page.  So far so good.
>>
>>But when I completed logging in,  the CFID and CFTOKEN were the same as the
>>one I had just deleted!! I didn't believe what I was seeing, so I did it
>>again a couple more times.    Same result.  I thought the CFIDs and
>CFTOKENS
>>were supposed to be unique and never reused.
>>
>>What gives?   How can I log in fresh and get the same CFID and CFTOKEN as I
>>had before?
>>
>>(If it's relevant, we're using CF5 and my browsers are IE6.0.26, and
>NN4.75,
>>and NN6.2.2)
>>
>>
>>Cheers,
>>Mike Kear
>>Windsor, NSW, Australia
>>AFP WebWorks
>>
>>-----Original Message-----
>>From: Matthew Friedman [mailto:[EMAIL PROTECTED]]
>>Sent: Thursday, June 20, 2002 11:22 AM
>>To: CF-Talk
>>Subject: RE: Killing Client vars session on closing browser.
>>
>>Mike here is a thought and this works for a project that I did.
>>
>>Open you site in a framed environment
>>Frame one is 100% and this is where your application runs
>>
>>Have a hidden frame that is a simple html page with an onclose() function
>to
>>call a page logout.cfm
>>
>>In logout run a query to delete your client variables from the database
>that
>>you have designated
>>
>><CFQUERY NAME="remove_client_session" DATASOURCE="session_varibles">
>>delete
>>from dbo.CDATA
>>where cfid = '#cookie.cfid#:#cookie.cftoken#'
>>and app = '<cfapplication name=''>'  - this is the name from the
>>cfapplication page that you are using for the client vars.
>></CFQUERY>
>>
>>then close the browser page with a JavaScript.
>>
>>This will guarantee that you have deleted the client vars from the time the
>>user logs off.
>>
>>You will need to take this Idea on step furture to make sure that the user
>>does not open the page outside of the framed enivorment and that can be
>done
>>with some simple javascripting.
>>
>>Matt Friedman
>>
>>
>>-----Original Message-----
>>From: Mike Kear [mailto:[EMAIL PROTECTED]]
>>Sent: Wednesday, June 19, 2002 8:40 PM
>>To: CF-Talk
>>Subject: RE: Killing Client vars session on closing browser.
>>
>>
>>Yes, thanks Rob.  That was my understanding of it too.  And I had already
>>used that code to convert CFID and CFTOKEN to memory cookies.   But now, 8
>>hours after I closed my browser, I just came back on line, opened my
>browser
>>again, and I was still logged in with the same CFID and CFTOKEN.   So the
>>client vars didn't time out, and they didn't disappear when not only did I
>>close down my browser but I closed down my whole system for the night.
>>
>>That's why I asked the question.  I didn't want to go over old ground, but
>>half a dozen people have told me exactly the same thing - use that snippet
>>to convert the cookies to in-memory cookies.  BUT IT DOESN'T WORK FOR MY
>>CASE.   That's the problem. I don't know why.   If you look at my original
>>question ( re-posted below) you'll see that's what I originally said.
>>
>>Does that only apply to session variables?   Because I'm using CLIENT Vars
>>(it's a long story,  just take it from me that client vars is the way we
>>have to go)   Or have I missed something?
>>
>>
>>
>>-----Original Message-----
>>From: Rob Baxter [mailto:[EMAIL PROTECTED]]
>>Sent: Thursday, June 20, 2002 4:04 AM
>>To: CF-Talk
>>Subject: RE: Killing Client vars session on closing browser.
>>
>>Correct me if I'm wrong, but I believe that eliminating a user's session id
>>(aka CFID and CFTOKEN) will have the effect of orphaning their Client data.
>>In other words, if you make sure that no users have persistant session
>>cookies, when they close the browser, they will lose their CFID and CFTOKEN
>>values which are used to hash their Client variables. If they return to
>your
>>site in a new browser instance, they should be issued a new CFID and
>CFTOKEN
>>pair, which effectively gives them a whole new Client variable space. Of
>>course you should probably have your Client variables expire fairly
>>frequently in this scenario.
>>
>>I believe some has already posted the code you can put in Application.cfm
>>which will convert your CFID and CFTOKEN cookies from persistant cookies to
>>in-memory cookies.
>>
>></rob>
>>
>>-----Original Message-----
>>Here's what I originally asked:
>>At 07:51 AM 6/19/02, you wrote:
>>>I'm maintaining state using CLIENT vars, and I want to have the session
>die
>>>when the user closes his browser.
>>>
>>>I know how to kill SESSION vars by setting the CFID and CFTOKEN cookies to
>>>expire, but that doesn't apply to client vars does it?    In any case,
>when
>>>I close my browser and open it again, the CFID and CFTOKEN is still alive.
>>>I'm still logged in and when I display the CFID and CFTOKEN on the page,
>>>they're the same.  (Yes, I have refreshed the browser)
>>>
>>>Here's my <CFAPPLICATION tag:
>>>
>>><cfapplication
>>>    name="appname"
>>>    clientmanagement="Yes"
>>>    clientstorage="datasource"
>>>    setdomaincookies="Yes"
>>>    APPLICATIONTIMEOUT="#CreateTimeSpan(0,0,45,0)#">
>>>
>>>
>>>And here's the following few lines in the application.cfm which set the
>>>cookies:
>>>
>>><cfif IsDefined( "Cookie.CFID" ) AND IsDefined( "Cookie.CFTOKEN" )>
>>>  <cfset localCFID = Cookie.CFID>
>>>  <cfset localCFTOKEN = Cookie.CFTOKEN>
>>>  <cfcookie name="CFID" value="#localCFID#">
>>>  <cfcookie name="CFTOKEN" value="#localCFTOKEN#">
>>></cfif>
>>>
>>>
>>What am I missing?
>>
>>
>>Cheers,
>>Mike Kear
>>Windsor, NSW, Australia
>>AFP WebWorks
>>
>>
>>
>>
>>
>>
>>
>>
>
>
______________________________________________________________________
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to