Re: Killing sessions on browser close

[Matthew Woodward]

On May 23, 2005, at 5:44 AM, Peter Tilbrook wrote: I'd have to verify this again to be sure, but if you use J2EE session� variables I *believe* they're killed automatically when the browser� closes without doing any extra work (in other words, you use J2EE� session variables and this is the default behavior).� The error you're� seeing when the J2EE sessions are enabled is because it uses a� different variable to define the session (jsessionid) so the typical� CFID and CFTOKEN aren't present in the session.� I think all you'd� have to do to handle this would be to do a check for StructKeyExists� (Session, "CFID") and StructKeyExists(Session, "CFTOKEN") before doing� the cookie stuff.� If they don't exist, don't do that cookie stuff and� you should be all set. Wrong! CFID/CFToken are still present but the Java session ID is appended. So all the rules for maintaining state with ColdFusion using CFID/CFToken still apply. Sorry Peter, but you're only about 1/4 correct.� When you use J2EE sessions, the cookies for CFID and CFTOKEN are still created, but SESSION VARIABLES for these two items are NOT created: http://cfdj.sys-con.com/read/41646_f.htm When you're *not* using J2EE session variables, session variables for CFID and CFTOKEN *are* created. A bit more information on this from the latest WACK: "The J2EE session variables option causes ColdFusion to define a session somewhat differently.� Instead of using cfid and cftoken cookies, which persist between sessions, to track the user's machine, it uses a different cookie, called jsessionid.� This cookie isn't persistent, and thus expires when a user closes her browser.� Therefore, if the user reopens their browser and visits your page again, it is an entirely new session." If you check Session.CFTOKEN when you have J2EE sessions enabled you will see that it includes CFID, CFTOKEN, and jsessionid, but as independent session variables (which is what Jake was really asking about), CFID and CFTOKEN are not created when you use J2EE sessions. As such, the traditional rules for maintaining state wtih CFID and CFTOKEN absolutely don't apply.� See the above paragraph--the jsessionid cookie is automatically killed when the user closes the browser.� This is not true for CFID and CFTOKEN cookies when you're not using J2EE session variables. I just did some testing by enabling J2EE session IDs on one of my servers and compared what does and doesn't exist before and after enabling J2EE session IDs.� As I suspected CFID and CFTOKEN are not created in the session with J2EE session IDs enabled, but they *are* created if I'm *not* using J2EE session IDs. Jake, the original code I sent you should do the trick.� If Session.CFID and Session.CFTOKEN exist, then you're not using J2EE sessions; if they don't exist, then you shouldn't need to worry about them because the session will be killed automatically when the user closes the browser. Hope that helps, Matt --� Matthew Woodward [EMAIL PROTECTED]