?
Solved

Prevent simultaneous logins

Posted on 2003-03-22
34
Medium Priority
?
707 Views
Last Modified: 2013-12-24
I am using J2EE Session Variables for session handling in my application - mainly because it doesn't set cookies on client side and the session expires when browser is closed. (We have to explicitly code for achieving this functionality if we are using CFID & CFTOKEN sessions.) I have two questions:
1) Are there any disadvantages of using J2EE Session Variables?
2) How can I prevent multiple logins with the same userID from two different locations? The first signed in user should be logged off when he tries to login from another place.
0
Comment
Question by:davegaurav999
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 7
  • +4
34 Comments
 
LVL 3

Expert Comment

by:cdillon
ID: 8187604
This is for asp, but still applicable

1) http://www.4guysfromrolla.com/webtech/092098-2.shtml 

2) you need some session to session communication to do that, otherwise how will one session know that the other exists?  One way is through the database, but you have to check to see that the session is still valid each time the user does something.  You could store the current time in the session and the database (for that user) when the user logs in.  Then compare the session to the database and if another login has occurred, then the session time and db time won't match.
0
 

Author Comment

by:davegaurav999
ID: 8192869
Thanks for your help, but what I wanted to ask in the first question was not the pros and cons of session variables in general (as given in the link suggested by you). There are two ways of managing sessions in ColdFusion MX : one is the old way of managing it using CFID and CFTOKEN. The other way, introduced in MX, is through the use of JSESSIONID. I am using the latter one because it makes the session expire as soon as the browser is closed and doesn't use client-side cookies.I just wanted to know if there are any inherent disadvantages of using JSESSIONID (J2EE Session Variables).

Can you please elaborate/give some code example regarding the second question?
0
 
LVL 11

Expert Comment

by:hart
ID: 8192995
use temporary cookies in cfm, these will be expired as soon as you close the browser. (About J2ee variables i am not so sure, so can't comment on it)

now secondly you want to check for simultaneous login.
Keep a field in database with Online (Y/N)

As soon as a user logs in store his ip and online as Y.
Now if some other user tries to login with the same username then check wether the online status is Y or not and do appropriate actions.

To notify the first user keep a file that executes every 1 minute or less. to check this users online sttaus.

As soon as it becomes N alert him.

Hope this logic helps

Regards
Harish(Hart)
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 17

Expert Comment

by:anandkp
ID: 8193019
abt preventing simultaneous logins - what i cld do is have a flag in the user table

everytime when u validate a user - while loggin in .. if authenticated set the "loggedin" flag to 'Y'

& when the user logs off - set the flag again to "N"

using this flag - u cld determine if the user is already logged in or not [when he tries to login from some other place & a appropriate msg can be generated]

K'Rgds
Anand
0
 

Author Comment

by:davegaurav999
ID: 8193432
Thanks for your replies. I actually tried using a flag in database (and then in an application scope variable) for identifying user status (logged in/logged out). I can change it when the user logs in. I can also change it when the user logs out BY CLICKING ON "LOGOUT" link. But how do I trap the "Logout" event when the user closes his browser? (remember, I am also ending a session when a user closes his browser) In ASP, we have a handler for session start and end, but in ColdFusion we do not have any such handlers.
0
 

Expert Comment

by:demarco
ID: 8193809
hmm cant you use javascript to capture this ?
Ie check a time out var to a js window

<cfparam name="Attributes.Hours" default=0>
<cfparam name="Attributes.Minutes" default=0>
<cfparam name="Attributes.Seconds" default=0>
<cfparam name="Attributes.LogoutLocation" default="yoururl">
<cfparam name="Attributes.ProcessInline" default="Yes"


<script language="JavaScript" type="text/javascript">
<!--
var secondToPercent = ((60/100)*100);
var percentToSecond = ((100/60)*.01);
var logoutTimeInMinutes = <cfoutput>(#Attributes.Hours# * 60) + #Attributes.Minutes# + (#Attributes.Seconds# * percentToSecond)</cfoutput>;
var minutes;
var seconds;
var message;

function AutoLogout(){
     if (logoutTimeInMinutes <= 0){
          window.location = "<cfoutput>#Attributes.LogoutLocation#</cfoutput>";
     } else {
          minutes = parseInt(logoutTimeInMinutes);
          seconds = Math.round((logoutTimeInMinutes - minutes) * secondToPercent);
          if (minutes.toString().length == 1){ minutes = "0" + minutes.toString(); }
          if (seconds.toString().length == 1){ seconds = "0" + seconds.toString(); }
          if (seconds < 0) { message = "Expired"; } else { message = minutes + ":" + seconds; }
          window.status = message;
          logoutTimeInMinutes = logoutTimeInMinutes - (1*percentToSecond);
          setTimeout("AutoLogout()",1000);
     }
}

<cfif Attributes.ProcessInline EQ "Yes">
AutoLogout();
</cfif>
//-->
</script>

as for closing the browser

<SCRIPT FOR=window EVENT=onbeforeunload LANGUAGE="JAVASCRIPT">
   
    if (refresh_clicked == 'no')
        window.open('logout.cfm','logout_href',
        'toolbar=no,scrollbars=no,resizable=no,
        width=635,height=300,menubar=no,location=no');
  </SCRIPT>
0
 

Expert Comment

by:demarco
ID: 8193819
sorry yes on closing the browser you redirect them to the logout

  <HTML>
  <HEAD>
  <SCRIPT LANGUAGE="JavaScript">
    // Defining variables.
    var refresh_clicked = 'no';
 
    // This function is called when the user press the 'refresh Page' button.
    function Refresher() {
    refresh_clicked = 'yes';
    location.reload();
    }
  </SCRIPT>    

  <SCRIPT FOR=window EVENT=onbeforeunload LANGUAGE="JAVASCRIPT">
    // On window close , this will logout the user.
    // If the user has pressed the 'Refresh Page' button, then this will be ignored.
    if (refresh_clicked == 'no')
        window.open('logout.cfm','logout_href',
        'toolbar=no,scrollbars=no,resizable=no,
        width=635,height=300,menubar=no,location=no');
  </SCRIPT>
         
  </HEAD>

  <BODY onKeyDown="KeyPress(window.event.keyCode);">

  <INPUT TYPE="BUTTON" VALUE="   Refresh Page   " 
            onClick="if (confirm ('Are you sure? This will erase all
                     information previously entered.')) Refresher();">

  <!-- ...(SNIP)... -->

  </BODY>

  </HTML>

--- I knew i had that snippet ;)
0
 
LVL 11

Expert Comment

by:hart
ID: 8193938
demarco is solution is fine.

but u can try this out too.

In the body tag write OnUnload="callme()"

in the javascript function pop up an small window.

In this window check for the existence of the parent window.

That is by chceking window.opener. any property.

and catch the error in javascript try catch block.

If error is thrown then logoff the user and close the pop up or show a smiling face :-), just kidding.

And if it doesn't (error doesn't ocurr) that means you do not require logoff the user, just close the pop up.

This has to be done because onunload event is fired when you explicitly refresh the page.

I hope demarco agress with me :-)

<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
    <!--
     var flag;
     <CFIF FINDNOCASE("MSIE",HTTP_USER_AGENT) EQ 0>    
          window.onerror = function changeurl (){alert(here);return false;window.location.url = 'CheckLogout.cfm?Logout=Y';flag = 'N';};
          window.opener.location.reload();          
          flag = 'Y';
     <CFELSE>
          try
          {
               window.opener.location.reload();          
               flag = 'Y';
          }
          catch(exception)
          {
               window.location = 'CheckLogout.cfm?Logout=Y';              
               flag = 'N';
          }              
     </CFIF>
     if (flag == 'Y')
     {
          window.close();
     }
    //-->
    </SCRIPT>    

hope this helps

Regards
Hart(harish)
0
 
LVL 11

Expert Comment

by:hart
ID: 8193968
i am sorry but a small correction for the above code

<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">  
<!--    
var flag;

function callme()
{
         try
         {
              window.opener.location.reload();          
              flag = 'Y';
         }
         catch(exception)
         {
              window.location = 'CheckLogout.cfm?Logout=Y';              
              flag = 'N';
         }

if (flag == 'Y')
    {
         window.close();
    }

}
//-->  
</SCRIPT>    



0
 

Expert Comment

by:demarco
ID: 8193969
yup i agree
OnUnload="callme()"  is another perfectly valid method
 
the refresh is accounted for in mine too :)
To be honest I have only used mine for larger sites where I stored the login details as a client var sruc and Used that I personaly find Session vars a very poor way of handling login secuirty issues


0
 
LVL 10

Expert Comment

by:substand
ID: 8216295
first off, J2EE does result in a client side cookie.  it may not store all the session variables in cookies, but at the very least, it stores a sessionID in a cookie.  Without cookies, there is no other way to tell what user is hitting your pages if you are using a session.  However, J2EE does not use "persistent cookies."

There are not really any performance efficiency issues that differ between the two.  Perhaps a couple of bytes difference in reading the different cookies exist, but unless you are using 2400 baud modems or less, that shouldn't make a difference.

To answer your first question, Macromedia defines the advantages (and mentions no disadvantages) of using J2EE as follows:

J2EE session management has the following advantages:

Enables the sharing of session information between ColdFusion pages and Java Server Pages (JSP) and servlets
Strengthens session security with a unique, per-session variable
Allows session termination without the loss of the client identification cookies (CFID/CFTOKEN) or Client management
J2EE session management uses a new variable, called the JSESSIONID, to track a user's browser session instead of the CFID/CFTOKEN pair. The JSESSIONID variable is available to JSPs and Servlets. A new JSESSIONID is always created at the start of each browser session. Because it is always written as a per-session value which is destroyed when the browser is closed, all session variables are also destroyed when the browser session ends.

The addition of the JSESSIONID not only extends the J2EE functionality but it also strengthens ColdFusion session management. Traditionally, ColdFusion creates the CFID/CFTOKEN as persistent cookies by default. However, the JSESSIONID is always created as a non-persistent cookie. Refer to ColdFusion (All Versions): How to write ColdFusion session variables as per-session cookies for more details. Refer to ColdFusion (All versions): How to guarantee unique CFToken values to ensure that the CFTOKEN identifier is unique.

Although JSESSIONID replaces CFID/CFTOKEN as the SESSION.SESSIONID, ColdFusion MX still creates the CFID and CFTOKEN values for tracking client information. This enables secure manipulation of client-scoped variables. J2EE session management does not require an Application name, so the SESSION.SESSIONID value becomes the JSESSIONID. Because CFID and CFTOKEN are no longer used as session identifiers, SESSION.CFID and SESSION.CFTOKEN do not exist in the SESSION scope. However, the combination of CFID, CFTOKEN, and JSESSIONID comprise the SESSION.URLToken (CFID=idNum&CFTOKEN=tokenNum&JSESSION=jsessionID). When using client management, ColdFusion server appends the JSESSIONID to the CFID and CFTOKEN values in the CLIENT.URLToken (CFID=idNum&CFTOKEN=tokenNum&JSESSION=jsessionID).

To answer your second question, you should do something similar to what anandkp said, namely, use a flag in the user table.  However, you will need to use 3 columns for this flag, as 3 things are required.

here are the specs:

column 1= isUserLoggedIn (boolean)
column 2= loggedInIP (varchar 15)
column 3= didAnotherUserLogin (boolean)

then when someone logs in you do the following:

1) check the login table.  if isUserLoggedIn is false, login normally. (of course you'll need to make sure the credentials are correct as well) also, set the loggedInIP=#cgi.REMOTE_ADDR#

2) if isUserLoggedIn is true, log in as normal, but do not change the loggedInIP.  Instead, set didAnotherUserLogin to true.

3) on each page (ie, put this in the application.cfm file) check the following:

<cfquery name="check" datasource="dsn">
select * (or whatever you need) from usertable
where userID=#session.userid#
</cfquery>
<cfif check.didAnotherUserLogin and check.loggedInIP is cgi.REMOTE_ADDR>
<!-- this means another user logged in and I need to exit --->
cancel this session and set loggedInIP=null and isUserLoggedIn=null (or some other sentinal besided null, that you know the value should never really be)
</cfif>

<cfif check.didAnotherUserLogin and check.isUserLoggedIn is null (really "")>

update the table to set didAnotherUserLogin=false, isUserLoggedIn=true and loggedinIp=#cgi.REMOTE_ADDR#

</cfif>


now you have coordinated the 2 users.  If they are logged in from 2 places at once, the first one who logged in will be logged off after going to another page, and the 2nd who logged in will be "logged on"

 









 query (after a successful login and on each page):

<cfquery name="chk" datasource="datasourcename">
select didAnotherUserLogin
</cfquery>
0
 
LVL 10

Expert Comment

by:substand
ID: 8216341
sorry, i was thinking/typing out loud to myself, so ignore that last bit:
----------------------------------
query (after a successful login and on each page):

<cfquery name="chk" datasource="datasourcename">
select didAnotherUserLogin
</cfquery>
----------------------------------

another way you could do question 2 is by using application scope variables.

for instance you could have:

application.userlist
application.iplist

which are lists of current users logged in and thier ip addresses.

when a user logs in, check to see if thier id is in application.userlist.  if it exists, get the listindex and copy thier ip to the corresponding spot in application.iplist.  if not, append thier id and ip to the respective lists.

in your application.cfm file you can check each time a page is loaded to see

<cfset who_am_i=listfind(application.userlist, session.userid)>

then

<cfif listgetat(application.iplist,who_am_i) is not cgi.remote_addr>

invalidate this session

</cfif>


that should do the same thing, but make it easier to implement.  you just need to make sure you manage everything ok.


0
 

Author Comment

by:davegaurav999
ID: 8223069
Thanks to all for your help.

Hart, I have one question regarding your following comment:

"In this window check for the existence of the parent window.That is by chceking window.opener. any property.and catch the error in javascript try catch block.If error is thrown then logoff the user and close the pop up or show a smiling face :-), just kidding.And if it doesn't (error doesn't ocurr) that means you do not require logoff the user, just close the pop up.This has to be done because onunload event is fired when you explicitly refresh the page."

With reference to the above, I would like to know whether I can check, WITHOUT opening a popup window, that the function in onunload is fired because of Refresh or Close? Then I will open a window ONLY if the event is fired because of closing the browser.

0
 

Author Comment

by:davegaurav999
ID: 8223102
demarco, how is refresh accounted for in your example?
0
 
LVL 1

Expert Comment

by:jladams97
ID: 8223427
daveagurav999--

One issue associated with JSESSIONID as well as CFID and CFTOKEN is that if a user gives his session information to someone else, that other person can use the information to access that users session.  This would most commonly happen when a user had cookies turned off in his browser and the application was using the URLSessionFormat function to pass the session variable(s) as part of the URL.  In that situation, if the user copied and pasted from his address bar to an email, IM, or some such thing, he would be copying his session variable(s) information, too.  If you don't user URLSessionFormat and you don't ever directly write the session variable(s) to URLs, a user sure would have to work to share his session info!  But if he read the cookies and gave the info to someone who passed it in as a URL variable, I believe CFMX would have no way of detecting the dupe and I do not believe there is any way to prevent such shared use of session information.  However, substand's system looks like it will take care of your issue of preventing a user from logging in from multiple places at once because it validates the user's IP address.  Of course, users at a location where internal IP addresses were mapped via NAT to real Internet IP addresses could still thwart the system.

If you're not really concerned about people giving their session information to others, you could just write the JSESSIONID info to your database and check it on each page request instead of using the three flags.  Since a new JSESSIONID is created with each new session, a second login and writing of its JSESSIONID to the database would prevent the first login from having further access.

You've got your thumb on another issue--the server doesn't (and can't) keep tabs on the JSESSIONID cookie on the client side so it can't "detect" when the cookie is deleted--it has to be told.  It probably isn't really important that the server know when the client quits the session, but if you want to know, one approach to making that happen might go something like this (this is an untested approach):

1.  When the user logs in, use <cffile> to create a CFM page that contains the following:

<cfset StructDelete(Session, "SessionID")>
<cfset StructDelete(Session, "URLToken")>
<cfoutput>You have been logged out</cfoutput>

Name the page whatever the user's user name is, like jadams.cfm.

2.  Use the OnUnload event of the <body> tag to call the CFM file.

Josh
0
 
LVL 11

Expert Comment

by:hart
ID: 8223434
The main problem is that on refresh onunload event is fired.The solution given by me was just a simple way to catch logoff.

other way would be to do it using database flags.

Keep a small page in a corner (frame page) and keep on refreshing it using meta tag.
<META HTTP-EQUIV="Refresh" CONTENT="10">

this will refresh the page every 10 seconds, u could set it to 5 minutes (content="300").

And every 5 minutes update a field with date and time.
Say Log_Time (keep on updating every 5 minutes)

Also there will be a Online Date time field and Online field for storing date and time logged in and aslo Yes or No flag for online respectively.

Now there will be a scheduled file which will compare the Log_time with current time. If the difference is greater or equal to 8 minutes(for being on the safe side) and the online flag is Y then turn him Offline.

This is just a another solution, but the popping up of small box will be much simpler.

And it won't require scheduled files.

See u could always pop up a banner on a site if a user refreshes his browser (Onunload).

Also if he closes the broser, show different add.

I can only suggest these two solutions, u can opt for any.

I think people do use applets to do logoff, but i am not aware how.

If you like my suggestions, then you know what to do :-)

Regards
Hart(Harish)
0
 
LVL 1

Expert Comment

by:jladams97
ID: 8223483
Addendum to my previous post:

Now that I think about it, you wouldn't have to used <cffile> to write a user-specific CFM file.  I was thinking that at first because I was thinking you might need to know the value of the user's JSESSIONID variable but you don't and so the code is generic.  So you could have the OnUnload event of the <body> tag call logout.cfm which would have this code in it:

<cfset StructDelete(Session, "SessionID")>
<cfset StructDelete(Session, "URLToken")>
<cfoutput>You have been logged out</cfoutput>

The file could of course also include any other CF commands you wanted to use to "clean up" after the end of the user's session.

Josh
0
 
LVL 11

Expert Comment

by:hart
ID: 8236478
hello did u get ur solution buddy??

let me know...

Regards
Hart(harish)
0
 

Expert Comment

by:demarco
ID: 8236926
For dave --

as i posted abouve in the js --

 <HTML>
 <HEAD>
 <SCRIPT LANGUAGE="JavaScript">
   // Defining variables.
   var refresh_clicked = 'no';
 
   // This function is called when the user press the 'refresh Page' button.
   function Refresher() {
   refresh_clicked = 'yes';
   location.reload();
   }
 </SCRIPT>    

 <SCRIPT FOR=window EVENT=onbeforeunload LANGUAGE="JAVASCRIPT">
   // On window close , this will logout the user.
   // If the user has pressed the 'Refresh Page' button, then this will be ignored.
   if (refresh_clicked == 'no')
       window.open('logout.cfm','logout_href',
       'toolbar=no,scrollbars=no,resizable=no,
       width=635,height=300,menubar=no,location=no');
 </SCRIPT>
         
 </HEAD>

 <BODY onKeyDown="KeyPress(window.event.keyCode);">

 <INPUT TYPE="BUTTON" VALUE="   Refresh Page   " 
           onClick="if (confirm ('Are you sure? This will erase all
                    information previously entered.')) Refresher();">

 <!-- ...(SNIP)... -->
0
 
LVL 11

Expert Comment

by:hart
ID: 8237023
with all due respect demarco, your refresher() function will only be called if you click on button "Refresh Page."

If i do f5 or say cntrl + R or Refresh button of the browser then your Refresher function will not be called.

hope all the other experts agree to this...

for catching key events like f5 you can do this in javascript.

----------------------------------------------------------
<head>
<script language="javascript">
///for IE
function test()
{
  if(event.keyCode == 116)
  {
      ///do anything
  }
}
///for Netscape
window.captureEvents(Event.KEYUP);
window.onKeyup = test;
function test(event)
{
  if(event.keyCode == 116)
  {
      ///do anything
   }
}
</script>
 <body onkeyup="test()">
</body>
----------------------------------------------------------

But then therez cntrl + r so even this won't help daveagurav999, the unload event will be fired anywayz.

As per my suggestion the best is the pop up.
But may be some one else could have a concrete idea

If so then do share it..

Regards
Harish(hart)
0
 

Expert Comment

by:demarco
ID: 8237039
yup didnt think of the forced refresh
0
 

Author Comment

by:davegaurav999
ID: 8244106
For Hart--
Thanks for all your help. Can I trap F5 and Ctrl+R and thus detect Refresh? Is there any other way this can be done (other than programmatically through javascript, of course)? Then I need to account for that also. I am insisting on this because I want to avoid popup. I don't mind popping up a window and showing "You are being logged out....." or something like that but when it is just a page refresh, I don't think it's a good idea. Ideally, I want to check whether it is a refresh or window close BEFORE popping up a window.
0
 

Expert Comment

by:demarco
ID: 8244189
hmm this is an intresting point ,
and does reflect the issues in regard to using session vars , as I mentioed before using client vars would solve this issue as they are
You migh also Think of bulding a  simple struc

In your app have

<CFIF IsDefined("Client.memberid")>

<cfset Client.UserLastVisit = now()>

<CFLOCK SCOPE="APPLICATION" THROWONTIMEOUT="No" TIMEOUT="10" TYPE="EXCLUSIVE">
<CFPARAM NAME="Application.OnlineUsers" DEFAULT="#StructNew()#">
<CFSET StructInsert(Application.OnlineUsers, Client.memberid, Client.UserLastVisit, True)>
</CFLOCK>


<CFLOCK SCOPE="APPLICATION" THROWONTIMEOUT="No" TIMEOUT="10" TYPE="EXCLUSIVE">

<CFLOOP COLLECTION="#Application.OnlineUsers#" ITEM="aUser">
<CFSET dtLastConnection = StructFind(Application.OnlineUsers, aUser)>

<CFIF DateDiff("h", dtLastConnection, Now()) GTE 4>
<CFSET StructDelete(Application.OnlineUsers, aUser)>
</CFIF>

</CFLOOP>
</CFLOCK>

</CFIF>

Then you have a structure that after login holds your "ONLINE" user  any login can be checked against this and you can use strcu delete or delete cookies on browser close. etc  this will also stop f5 as the user id will exsit in the struc and you can error trap that

 :)

0
 

Expert Comment

by:demarco
ID: 8244194
As you can see in my above code i also adda simple 4 hour time out
<CFIF DateDiff("h", dtLastConnection, Now()) GTE 4>
<CFSET StructDelete(Application.OnlineUsers, aUser)>
</CFIF>

but this can be left out or alterd if you so require
0
 
LVL 11

Expert Comment

by:hart
ID: 8244356
sorry buddy,

i am not sure how to catch closure in the same window(page).

the main reason why you have a pop up is to catch the closure of the window.

This cannot be put in the same page.

because when the window is closed using the close window button the onunload is fired but it doesn't fire any exception.

For eg:

say if i keep a hidden field in the form and try to access the value every time the onunload event is fired.

It does not give an error even if the browser is closed.
If an exception coul be fired while trying to acces a form lemet only while closing then i would have got the solution, but i don't think it happens.

So the bottom line is i am through..
i don't have any further solutions..

(NB: you could consider the database time difference method specified by me earlier, if u don't want the pop up.)

All the best and hope u get a concrete solution..

Regards
Hart(harish)
0
 

Author Comment

by:davegaurav999
ID: 8244870
Thanks hart.
demarco --
I am already maintaining a list (instead of a structure) of logged in users and their respective login time. I can delete appropriate entries from it when the user logs out by clicking on "Logout". But the problem is that how do I delete the entry from the list when the user just closes the browser (without explicitly logging out)? I am using JSESSIONID which doesn't use any cookies otherwise I can make them expire on browser close. One solution that I could think of was to run a scheduled task every xx minutes and check the login time of every entry in the list and delete entries where login time is before sessiontimeout period. But this is not very efficient as you can see. Also, it leaves a liiiiiiiitle loophole. Is there a better solution?
0
 
LVL 1

Accepted Solution

by:
jladams97 earned 1500 total points
ID: 8247102
JSESSIONID does use cookies by default although it optionally can work with a browser with cookies turned off but only if you explicitly add it to all of the links in the pages you send to your customer's browsers (the easiest way to do this is with URLSessionFormat).  More info is in my previous posts and also in the CF documentation.  The most basic point you need to understand is that a browser interacting with a server is a stateless system and so without the client browser sending the server an identifier with each request, the server cannot track the client browser.  This identifier has to be sent in one of three ways:  as a URL parameter, as a value from a cookie, or as a form submission.  Since it is unlikely a user will be able to navigate through your site purely by submitting forms, it is unlikely you can track him via an identifier submitted as a form value.  So you then need to use either a URL parameter or a cookie value.  JESSIONID as well as CFID and CFTOKEN can work via either method, but they work via cookies by default.

As to how you delete a user from the list when the client closes the browser:  you can't.  The is due again to the stateless nature of the interaction of the server and the client.  After the server sends a page to the client, the server ceases to know anything about the state of the client until the client next sends a request to the server.  If the client never sends such a request, the server never knows anything definitive about said client.  And that's exactly why session variables timeout--the idea is that if the server doesn't hear something in a certain amount of time, it assumes the client is no longer interacting with it.

The only way that I can think that you might possibly be able to get the client browser to let you know when it closes is if there is some way you can use the OnUnload() event of the <body> tag to fire off a communication to your server.  I honestly haven't read many of the other posts in this thread well enough to know if they've given a way to do this but in my simple testing, the OnUnload() event won't allow the firing off of a communication to the server.  Note that even if you can find a way to accomplish this task, if the user wants to prevent his browser from sending you a notification that his browser has closed, he can easily do that, if only by turning off JavaScript in his browser or even disconnecting his Internet connection.

If you can find a way to fire off a communication to your server when the browser is closed and the user allows that communication to go out, you'll want to somehow send the now closed (or at least closing) browser's JSESSIONID to the server for processing.  You might do that using URL parameters or you might do it as a submission of a form using a hidden for like this one:

<form name="BrowserClosed" action="browserclosed.cfm">
<input type="hidden" name="JSESSIONID" value="#Session.JSESSIONID#">
</form>

Just keep in mind that at best you're going to be able to get an approximation of what you actually want.  What you actually want is a constant, two-way connection on which either party is immediately notified of the connection being broken (for analogy purposes, think of a phone call).  That just doesn't exist between a browser and a server.  I know that's a bad thing for you here but realize that overall it is a very good thing and the system was designed that way on purpose.  The reason?  Much less bandwidth useage!

Josh
0
 
LVL 10

Expert Comment

by:substand
ID: 8247126
you could do like a temp logout, where in the "onunload" event, you log them out, and on the load event you log them back in.

this would have the effect of
1) making sure the user is logged out when the browser closes
2) making sure the user is logged out when they leave your app and go to another site.

0
 
LVL 11

Expert Comment

by:hart
ID: 8251133
With all due respect substand your solution could cause hassles.

i don't think i will need to explain how.
Just think about it..

Regards
Hart



0
 

Author Comment

by:davegaurav999
ID: 8252135
Thanks to everyone for helping out. Special regards to demarco and harish.
0
 
LVL 1

Expert Comment

by:jladams97
ID: 8254825
Thanks, davegaurav99, for my first Expert Points!  :)  I appreciate them very much!  :)  I know that the info I gave you wasn't exactly what you wanted to hear but hopefully it did help.

Thanks,
Josh
0
 
LVL 10

Expert Comment

by:substand
ID: 8258081
hart:  not trying to be a smartass, but i can't think of any unless you mean you'd have to put it on every page.. but that would be solved by placing the body tag in the application.cfm file, so i don't think thats what you mean...???

let me know what you are thinking of.
0
 

Expert Comment

by:demarco
ID: 8259599
Cheers - davegaurav999

It certinaly was an intresting problem
and Im also gald of a workable solution for this as well -- -- cheer jladams97  
0
 
LVL 11

Expert Comment

by:hart
ID: 8259692
no offense substand, but if you are making a person log in then i think he must be doing it using some username and password clarifications.

now as per your solution, you said to log him off temporarily when he refreshes.

onunload you log him off then how are u going to trace who it was onload.. (then again you have to go with temporary flags and all which would be an hassle.)

just think about it..

Also if my comments are in any ways upseting you, then i am sorry..


Regards
Hart
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A web service (http://en.wikipedia.org/wiki/Web_service) is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question