force session to expire when a user leaves the site

i really need somthing that will kill the session if the user leaves the domain... any ideas on where i should start?

its really difficult to track when a user does leave..  ie close the browser.... as its not an event you can keep track of


i aggreee with  black0ps' comments

Maybe try:
<!--- on all pages where an exit might occurr --->
<script language="javascript">
function exitting(x) {
      var popUpWin=0;
      popUpWindow('domaincheck.cfm?Domain=' & x,0,0,0,0);
}

function popUpWindow(URLStr, left, top, width, height)
{
  if(popUpWin)
  {
    if(!popUpWin.closed) popUpWin.close();
  }
  popUpWin = open(URLStr, 'popUpWin', 'toolbar=no,location=no,directories=no,status=no,menub ar=no,scrollbar=no,resizable=no,copyhistory=yes,width='+width+',height='+height+',left='+left+', top='+top+',screenX='+left+',screenY='+top+'');
}
</script>
<body onUnload="exitting('<cfoutput>#CGI.SERVER_NAME#</cfoutput>')">
</body>

<!--- domaincheck.cfm page --->
<script language="javascript">
// use javascript to verify that the domain passed as a URL attribute is the same as the location in the popup's parent window
// if they are the same, close window
// if they are NOT the same, redirect to the same page with a new URL attribute called expire
</script>
<cfif IsDefined("URL.Expire")>
<cfset StructDelete(session,"login")>
<script>
// close window
</script>
</cfif>

That might work. You'll need to write the javascripts though.

-- Ian

Best solution I've found to this problem is pretty complicated and requires messing with every internal link in the site (at least every link you want protected this way).  The reason it has to be so complicated is that, for privacy reasons, browsers deliberately give the site you are leaving no knowledge of where you are going, so you just can't know when you leave the site.  You could have exit scripts on every page which validate the next page, but they cannot test the target URL and javascript could be turned off, so it's not very reliable or useful.

The most robust solution I have found it to set up a sequence where you have a session(orClient) var, say sessionKey which you set to some random value when you initialize the session.  The more important this security is and the more hits there are on the application, the better the reasons to use a fresh UUID-( sessionKey=CreateUUID() ), although a simple counter would accomplish the same goal in cases where you are trying to catch mistakes, not malicious users. So far so good.

The tricky part is you have to pass it as a URL variable in every link. You can't rely on the session because the whole point is to know when they aren't getting to the next page by clicking the link (or submit button) you are expecting them to click.

So upon landing on each page in the site, say in the application.cfm, you check the URL var to make sure it matches the one in the Session store (URL.sessionKey EQ Session.sessionKey) and if it does you CREATE A NEW KEY.

This new key, say newSessionKey, is then stored in the Session.sessionKey variable and appended to all the links on the page
e.g. <a href="page2.cfm?foo=bar&sessionKey=<cfoutput>#newSessionKey#</cfoutput>">

When the user hits back, URL.sessionKey is the old one, it no longer matches Session.sessionKey so you can take whatever action you want from the application.cfm, or wherever, to expire the session (I usually have a session.loggedIn variable I'd set to false.)

This works except for browser caching, which would still allow the user to at least SEE what was on the previous page (a security problem in payment cycles, for example)  So if just prefer that browsers usually not cache the page (forcing reload, forcing your check to catch the expired session) add
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
but this doesn't always work.  If you REALLY don't want the browser caching, read this:
http://www.htmlgoodies.com/beyond/reference/article.php/3472881
and then recommend that they close the browser window when they're done.

This solution works great for small, sensitive parts of an application, like the payment cycle, but is a little cumbersome for large apps with lots of links.  The obvious disadvantage is that you have to get every link, form action and <cflocation> tag and append the URL variable.  The advantage is that by the time a link hits the browser, it is already obsolete so short of decoding the algorithm that produces the next sessionKey, it's pretty foolproof.

N.b.  Make sure any information links, etc. in this process are popups, preferably with close buttons, or include the mainline forms, etc. or you'll just be inviting the user to shoot themselves in the foot by clicking back.  I know I would.

Hope this is helpful,
8riaN

The short answer is not really and not worth it.

As you can see from teh posts so far there is NO guaranteed way to catch them.

You can try the javascript onUnload, but this runs on every page and may clear a session when you don't want to.

You can mess with the URLs and pass around a sessionID or some other thing, but the URL becomes messy and is prone to tampering...