I've seen method 4 (or something similar!) used before to track where a user was when he / she 'left' a site. It was relatively easy as the relevant code was chucked in application.cfm and onRequestEnd.cfm. Sounds like something with client variables should work better for your case though? ----- Original Message ----- From: Tim Blair To: [EMAIL PROTECTED] Sent: Thursday, October 30, 2003 9:50 AM Subject: [ cf-dev ] Session timeouts in multi-site application
Morning, I have an issue that I'd like to see if anyone can come up with a sensible solution for... We are developing a system which allows Joe Bloggs to build their own community-type site based on top of our application. I.e. they fill out a form with their details, the site name etc, customise colours etc, we give them a URL to go to to use "their site" and they then advertise it and do what ever they want. Now because there will be multiple "sites" running off the one application, we obviously need to know which site is being requested, so the initial URL will be something like http://app.blah.com/index.cfm?site=12345 -- once we have this information then we store the site ID as a session variable so it doesn't have to be passed around. Because these sites are supposed to be autonomous, we're using jsessionid (session based cookie) rather than the standard CF ones ("permanent" cookie) so it means that people can view different "sites" at the same time, on the same computer, in different browsers. The issue comes when a session times out. If the session dies (i.e. the user has been inactive for x minutes) then we no longer know which site they've been looking at, so we can't show them the "please log in" page for the correct site. :o\ Possible options I've just come up with OTTOMH: 1. Use CF sessions not jsessionid to mean that they can only view one site at a time - not really an options. 2. Pass the siteid in the query string on every script call - don't really want to do that. 3. Store the "last looked at" site in a cookie - will work well if they are only using one site at a time, but would get confusing if using two sites (to be honest, this is fairly unlikely, but it's definitely possible), one times out and them displays the "please log in" page from the other site... :o\ 4. "Roll my own" session handling - set the session timeout to something hideously high and also store a "timeout" datetime or similar and at the start of every call check the timestamp of this timeout value hasn't passed - if it has then send them to the login page. So far option four is looking the most likely, but this could mean that we end up tracking about six zillion (possible exageration!) sessions... I guess we'd have to have a scheduled task which tracked through all the sessions [http://tech.badpen.com/index.cfm?mode=entry&entry=3] and removed those which have been inactive for a certain length of time? Or just wait for them to timeout "normally"... Any suggestions appreciated. Tim. ------------------------------------------------------- RAWNET LTD - Internet, New Media and ebusiness Gurus. Visit our new website at http://www.rawnet.com for more information about our company, or call us free anytime on 0800 294 24 24. ------------------------------------------------------- Tim Blair Web Application Engineer, Rawnet Limited Direct Phone : +44 (0) 1344 393 441 Switchboard : +44 (0) 1344 393 040 ------------------------------------------------------- This message may contain information which is legally privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any unauthorised disclosure, copying, distribution or use of this information is strictly prohibited. Such notification notwithstanding, any comments, opinions, information or conclusions expressed in this message are those of the originator, not of rawnet limited, unless otherwise explicitly and independently indicated by an authorised representative of rawnet limited. ------------------------------------------------------- -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
