Prevent simultaneous logins

I am using J2EE Session Variables for session handling in my application - mainly because it doesn't set cookies on client side and the session expires when browser is closed. (We have to explicitly code for achieving this functionality if we are using CFID & CFTOKEN sessions.) I have two questions:
1) Are there any disadvantages of using J2EE Session Variables?
2) How can I prevent multiple logins with the same userID from two different locations? The first signed in user should be logged off when he tries to login from another place.
davegaurav999Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cdillonCommented:
This is for asp, but still applicable

1) http://www.4guysfromrolla.com/webtech/092098-2.shtml 

2) you need some session to session communication to do that, otherwise how will one session know that the other exists?  One way is through the database, but you have to check to see that the session is still valid each time the user does something.  You could store the current time in the session and the database (for that user) when the user logs in.  Then compare the session to the database and if another login has occurred, then the session time and db time won't match.
0
davegaurav999Author Commented:
Thanks for your help, but what I wanted to ask in the first question was not the pros and cons of session variables in general (as given in the link suggested by you). There are two ways of managing sessions in ColdFusion MX : one is the old way of managing it using CFID and CFTOKEN. The other way, introduced in MX, is through the use of JSESSIONID. I am using the latter one because it makes the session expire as soon as the browser is closed and doesn't use client-side cookies.I just wanted to know if there are any inherent disadvantages of using JSESSIONID (J2EE Session Variables).

Can you please elaborate/give some code example regarding the second question?
0
hartCommented:
use temporary cookies in cfm, these will be expired as soon as you close the browser. (About J2ee variables i am not so sure, so can't comment on it)

now secondly you want to check for simultaneous login.
Keep a field in database with Online (Y/N)

As soon as a user logs in store his ip and online as Y.
Now if some other user tries to login with the same username then check wether the online status is Y or not and do appropriate actions.

To notify the first user keep a file that executes every 1 minute or less. to check this users online sttaus.

As soon as it becomes N alert him.

Hope this logic helps

Regards
Harish(Hart)
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

anandkpCommented:
abt preventing simultaneous logins - what i cld do is have a flag in the user table

everytime when u validate a user - while loggin in .. if authenticated set the "loggedin" flag to 'Y'

& when the user logs off - set the flag again to "N"

using this flag - u cld determine if the user is already logged in or not [when he tries to login from some other place & a appropriate msg can be generated]

K'Rgds
Anand
0
davegaurav999Author Commented:
Thanks for your replies. I actually tried using a flag in database (and then in an application scope variable) for identifying user status (logged in/logged out). I can change it when the user logs in. I can also change it when the user logs out BY CLICKING ON "LOGOUT" link. But how do I trap the "Logout" event when the user closes his browser? (remember, I am also ending a session when a user closes his browser) In ASP, we have a handler for session start and end, but in ColdFusion we do not have any such handlers.
0
demarcoCommented:
hmm cant you use javascript to capture this ?
Ie check a time out var to a js window

<cfparam name="Attributes.Hours" default=0>
<cfparam name="Attributes.Minutes" default=0>
<cfparam name="Attributes.Seconds" default=0>
<cfparam name="Attributes.LogoutLocation" default="yoururl">
<cfparam name="Attributes.ProcessInline" default="Yes"


<script language="JavaScript" type="text/javascript">
<!--
var secondToPercent = ((60/100)*100);
var percentToSecond = ((100/60)*.01);
var logoutTimeInMinutes = <cfoutput>(#Attributes.Hours# * 60) + #Attributes.Minutes# + (#Attributes.Seconds# * percentToSecond)</cfoutput>;
var minutes;
var seconds;
var message;

function AutoLogout(){
     if (logoutTimeInMinutes <= 0){
          window.location = "<cfoutput>#Attributes.LogoutLocation#</cfoutput>";
     } else {
          minutes = parseInt(logoutTimeInMinutes);
          seconds = Math.round((logoutTimeInMinutes - minutes) * secondToPercent);
          if (minutes.toString().length == 1){ minutes = "0" + minutes.toString(); }
          if (seconds.toString().length == 1){ seconds = "0" + seconds.toString(); }
          if (seconds < 0) { message = "Expired"; } else { message = minutes + ":" + seconds; }
          window.status = message;
          logoutTimeInMinutes = logoutTimeInMinutes - (1*percentToSecond);
          setTimeout("AutoLogout()",1000);
     }
}

<cfif Attributes.ProcessInline EQ "Yes">
AutoLogout();
</cfif>
//-->
</script>

as for closing the browser

<SCRIPT FOR=window EVENT=onbeforeunload LANGUAGE="JAVASCRIPT">
   
    if (refresh_clicked == 'no')
        window.open('logout.cfm','logout_href',
        'toolbar=no,scrollbars=no,resizable=no,
        width=635,height=300,menubar=no,location=no');
  </SCRIPT>
0
demarcoCommented:
sorry yes on closing the browser you redirect them to the logout

  <HTML>
  <HEAD>
  <SCRIPT LANGUAGE="JavaScript">
    // Defining variables.
    var refresh_clicked = 'no';
 
    // This function is called when the user press the 'refresh Page' button.
    function Refresher() {
    refresh_clicked = 'yes';
    location.reload();
    }
  </SCRIPT>    

  <SCRIPT FOR=window EVENT=onbeforeunload LANGUAGE="JAVASCRIPT">
    // On window close , this will logout the user.
    // If the user has pressed the 'Refresh Page' button, then this will be ignored.
    if (refresh_clicked == 'no')
        window.open('logout.cfm','logout_href',
        'toolbar=no,scrollbars=no,resizable=no,
        width=635,height=300,menubar=no,location=no');
  </SCRIPT>
         
  </HEAD>

  <BODY onKeyDown="KeyPress(window.event.keyCode);">

  <INPUT TYPE="BUTTON" VALUE="   Refresh Page   " 
            onClick="if (confirm ('Are you sure? This will erase all
                     information previously entered.')) Refresher();">

  <!-- ...(SNIP)... -->

  </BODY>

  </HTML>

--- I knew i had that snippet ;)
0
hartCommented:
demarco is solution is fine.

but u can try this out too.

In the body tag write OnUnload="callme()"

in the javascript function pop up an small window.

In this window check for the existence of the parent window.

That is by chceking window.opener. any property.

and catch the error in javascript try catch block.

If error is thrown then logoff the user and close the pop up or show a smiling face :-), just kidding.

And if it doesn't (error doesn't ocurr) that means you do not require logoff the user, just close the pop up.

This has to be done because onunload event is fired when you explicitly refresh the page.

I hope demarco agress with me :-)

<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
    <!--
     var flag;
     <CFIF FINDNOCASE("MSIE",HTTP_USER_AGENT) EQ 0>    
          window.onerror = function changeurl (){alert(here);return false;window.location.url = 'CheckLogout.cfm?Logout=Y';flag = 'N';};
          window.opener.location.reload();          
          flag = 'Y';
     <CFELSE>
          try
          {
               window.opener.location.reload();          
               flag = 'Y';
          }
          catch(exception)
          {
               window.location = 'CheckLogout.cfm?Logout=Y';              
               flag = 'N';
          }              
     </CFIF>
     if (flag == 'Y')
     {
          window.close();
     }
    //-->
    </SCRIPT>    

hope this helps

Regards
Hart(harish)
0
hartCommented:
i am sorry but a small correction for the above code

<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">  
<!--    
var flag;

function callme()
{
         try
         {
              window.opener.location.reload();          
              flag = 'Y';
         }
         catch(exception)
         {
              window.location = 'CheckLogout.cfm?Logout=Y';              
              flag = 'N';
         }

if (flag == 'Y')
    {
         window.close();
    }

}
//-->  
</SCRIPT>    



0
demarcoCommented:
yup i agree
OnUnload="callme()"  is another perfectly valid method
 
the refresh is accounted for in mine too :)
To be honest I have only used mine for larger sites where I stored the login details as a client var sruc and Used that I personaly find Session vars a very poor way of handling login secuirty issues


0
substandCommented:
first off, J2EE does result in a client side cookie.  it may not store all the session variables in cookies, but at the very least, it stores a sessionID in a cookie.  Without cookies, there is no other way to tell what user is hitting your pages if you are using a session.  However, J2EE does not use "persistent cookies."

There are not really any performance efficiency issues that differ between the two.  Perhaps a couple of bytes difference in reading the different cookies exist, but unless you are using 2400 baud modems or less, that shouldn't make a difference.

To answer your first question, Macromedia defines the advantages (and mentions no disadvantages) of using J2EE as follows:

J2EE session management has the following advantages:

Enables the sharing of session information between ColdFusion pages and Java Server Pages (JSP) and servlets
Strengthens session security with a unique, per-session variable
Allows session termination without the loss of the client identification cookies (CFID/CFTOKEN) or Client management
J2EE session management uses a new variable, called the JSESSIONID, to track a user's browser session instead of the CFID/CFTOKEN pair. The JSESSIONID variable is available to JSPs and Servlets. A new JSESSIONID is always created at the start of each browser session. Because it is always written as a per-session value which is destroyed when the browser is closed, all session variables are also destroyed when the browser session ends.

The addition of the JSESSIONID not only extends the J2EE functionality but it also strengthens ColdFusion session management. Traditionally, ColdFusion creates the CFID/CFTOKEN as persistent cookies by default. However, the JSESSIONID is always created as a non-persistent cookie. Refer to ColdFusion (All Versions): How to write ColdFusion session variables as per-session cookies for more details. Refer to ColdFusion (All versions): How to guarantee unique CFToken values to ensure that the CFTOKEN identifier is unique.

Although JSESSIONID replaces CFID/CFTOKEN as the SESSION.SESSIONID, ColdFusion MX still creates the CFID and CFTOKEN values for tracking client information. This enables secure manipulation of client-scoped variables. J2EE session management does not require an Application name, so the SESSION.SESSIONID value becomes the JSESSIONID. Because CFID and CFTOKEN are no longer used as session identifiers, SESSION.CFID and SESSION.CFTOKEN do not exist in the SESSION scope. However, the combination of CFID, CFTOKEN, and JSESSIONID comprise the SESSION.URLToken (CFID=idNum&CFTOKEN=tokenNum&JSESSION=jsessionID). When using client management, ColdFusion server appends the JSESSIONID to the CFID and CFTOKEN values in the CLIENT.URLToken (CFID=idNum&CFTOKEN=tokenNum&JSESSION=jsessionID).

To answer your second question, you should do something similar to what anandkp said, namely, use a flag in the user table.  However, you will need to use 3 columns for this flag, as 3 things are required.

here are the specs:

column 1= isUserLoggedIn (boolean)
column 2= loggedInIP (varchar 15)
column 3= didAnotherUserLogin (boolean)

then when someone logs in you do the following:

1) check the login table.  if isUserLoggedIn is false, login normally. (of course you'll need to make sure the credentials are correct as well) also, set the loggedInIP=#cgi.REMOTE_ADDR#

2) if isUserLoggedIn is true, log in as normal, but do not change the loggedInIP.  Instead, set didAnotherUserLogin to true.

3) on each page (ie, put this in the application.cfm file) check the following:

<cfquery name="check" datasource="dsn">
select * (or whatever you need) from usertable
where userID=#session.userid#
</cfquery>
<cfif check.didAnotherUserLogin and check.loggedInIP is cgi.REMOTE_ADDR>
<!-- this means another user logged in and I need to exit --->
cancel this session and set loggedInIP=null and isUserLoggedIn=null (or some other sentinal besided null, that you know the value should never really be)
</cfif>

<cfif check.didAnotherUserLogin and check.isUserLoggedIn is null (really "")>

update the table to set didAnotherUserLogin=false, isUserLoggedIn=true and loggedinIp=#cgi.REMOTE_ADDR#

</cfif>


now you have coordinated the 2 users.  If they are logged in from 2 places at once, the first one who logged in will be logged off after going to another page, and the 2nd who logged in will be "logged on"

 









 query (after a successful login and on each page):

<cfquery name="chk" datasource="datasourcename">
select didAnotherUserLogin
</cfquery>
0
substandCommented:
sorry, i was thinking/typing out loud to myself, so ignore that last bit:
----------------------------------
query (after a successful login and on each page):

<cfquery name="chk" datasource="datasourcename">
select didAnotherUserLogin
</cfquery>
----------------------------------

another way you could do question 2 is by using application scope variables.

for instance you could have:

application.userlist
application.iplist

which are lists of current users logged in and thier ip addresses.

when a user logs in, check to see if thier id is in application.userlist.  if it exists, get the listindex and copy thier ip to the corresponding spot in application.iplist.  if not, append thier id and ip to the respective lists.

in your application.cfm file you can check each time a page is loaded to see

<cfset who_am_i=listfind(application.userlist, session.userid)>

then

<cfif listgetat(application.iplist,who_am_i) is not cgi.remote_addr>

invalidate this session

</cfif>


that should do the same thing, but make it easier to implement.  you just need to make sure you manage everything ok.


0
davegaurav999Author Commented:
Thanks to all for your help.

Hart, I have one question regarding your following comment:

"In this window check for the existence of the parent window.That is by chceking window.opener. any property.and catch the error in javascript try catch block.If error is thrown then logoff the user and close the pop up or show a smiling face :-), just kidding.And if it doesn't (error doesn't ocurr) that means you do not require logoff the user, just close the pop up.This has to be done because onunload event is fired when you explicitly refresh the page."

With reference to the above, I would like to know whether I can check, WITHOUT opening a popup window, that the function in onunload is fired because of Refresh or Close? Then I will open a window ONLY if the event is fired because of closing the browser.

0
davegaurav999Author Commented:
demarco, how is refresh accounted for in your example?
0
jladams97Commented:
daveagurav999--

One issue associated with JSESSIONID as well as CFID and CFTOKEN is that if a user gives his session information to someone else, that other person can use the information to access that users session.  This would most commonly happen when a user had cookies turned off in his browser and the application was using the URLSessionFormat function to pass the session variable(s) as part of the URL.  In that situation, if the user copied and pasted from his address bar to an email, IM, or some such thing, he would be copying his session variable(s) information, too.  If you don't user URLSessionFormat and you don't ever directly write the session variable(s) to URLs, a user sure would have to work to share his session info!  But if he read the cookies and gave the info to someone who passed it in as a URL variable, I believe CFMX would have no way of detecting the dupe and I do not believe there is any way to prevent such shared use of session information.  However, substand's system looks like it will take care of your issue of preventing a user from logging in from multiple places at once because it validates the user's IP address.  Of course, users at a location where internal IP addresses were mapped via NAT to real Internet IP addresses could still thwart the system.

If you're not really concerned about people giving their session information to others, you could just write the JSESSIONID info to your database and check it on each page request instead of using the three flags.  Since a new JSESSIONID is created with each new session, a second login and writing of its JSESSIONID to the database would prevent the first login from having further access.

You've got your thumb on another issue--the server doesn't (and can't) keep tabs on the JSESSIONID cookie on the client side so it can't "detect" when the cookie is deleted--it has to be told.  It probably isn't really important that the server know when the client quits the session, but if you want to know, one approach to making that happen might go something like this (this is an untested approach):

1.  When the user logs in, use <cffile> to create a CFM page that contains the following:

<cfset StructDelete(Session, "SessionID")>
<cfset StructDelete(Session, "URLToken")>
<cfoutput>You have been logged out</cfoutput>

Name the page whatever the user's user name is, like jadams.cfm.

2.  Use the OnUnload event of the <body> tag to call the CFM file.

Josh
0
hartCommented:
The main problem is that on refresh onunload event is fired.The solution given by me was just a simple way to catch logoff.

other way would be to do it using database flags.

Keep a small page in a corner (frame page) and keep on refreshing it using meta tag.
<META HTTP-EQUIV="Refresh" CONTENT="10">

this will refresh the page every 10 seconds, u could set it to 5 minutes (content="300").

And every 5 minutes update a field with date and time.
Say Log_Time (keep on updating every 5 minutes)

Also there will be a Online Date time field and Online field for storing date and time logged in and aslo Yes or No flag for online respectively.

Now there will be a scheduled file which will compare the Log_time with current time. If the difference is greater or equal to 8 minutes(for being on the safe side) and the online flag is Y then turn him Offline.

This is just a another solution, but the popping up of small box will be much simpler.

And it won't require scheduled files.

See u could always pop up a banner on a site if a user refreshes his browser (Onunload).

Also if he closes the broser, show different add.

I can only suggest these two solutions, u can opt for any.

I think people do use applets to do logoff, but i am not aware how.

If you like my suggestions, then you know what to do :-)

Regards
Hart(Harish)
0
jladams97Commented:
Addendum to my previous post:

Now that I think about it, you wouldn't have to used <cffile> to write a user-specific CFM file.  I was thinking that at first because I was thinking you might need to know the value of the user's JSESSIONID variable but you don't and so the code is generic.  So you could have the OnUnload event of the <body> tag call logout.cfm which would have this code in it:

<cfset StructDelete(Session, "SessionID")>
<cfset StructDelete(Session, "URLToken")>
<cfoutput>You have been logged out</cfoutput>

The file could of course also include any other CF commands you wanted to use to "clean up" after the end of the user's session.

Josh
0
hartCommented:
hello did u get ur solution buddy??

let me know...

Regards
Hart(harish)
0
demarcoCommented:
For dave --

as i posted abouve in the js --

 <HTML>
 <HEAD>
 <SCRIPT LANGUAGE="JavaScript">
   // Defining variables.
   var refresh_clicked = 'no';
 
   // This function is called when the user press the 'refresh Page' button.
   function Refresher() {
   refresh_clicked = 'yes';
   location.reload();
   }
 </SCRIPT>    

 <SCRIPT FOR=window EVENT=onbeforeunload LANGUAGE="JAVASCRIPT">
   // On window close , this will logout the user.
   // If the user has pressed the 'Refresh Page' button, then this will be ignored.
   if (refresh_clicked == 'no')
       window.open('logout.cfm','logout_href',
       'toolbar=no,scrollbars=no,resizable=no,
       width=635,height=300,menubar=no,location=no');
 </SCRIPT>
         
 </HEAD>

 <BODY onKeyDown="KeyPress(window.event.keyCode);">

 <INPUT TYPE="BUTTON" VALUE="   Refresh Page   " 
           onClick="if (confirm ('Are you sure? This will erase all
                    information previously entered.')) Refresher();">

 <!-- ...(SNIP)... -->
0
hartCommented:
with all due respect demarco, your refresher() function will only be called if you click on button "Refresh Page."

If i do f5 or say cntrl + R or Refresh button of the browser then your Refresher function will not be called.

hope all the other experts agree to this...

for catching key events like f5 you can do this in javascript.

----------------------------------------------------------
<head>
<script language="javascript">
///for IE
function test()
{
  if(event.keyCode == 116)
  {
      ///do anything
  }
}
///for Netscape
window.captureEvents(Event.KEYUP);
window.onKeyup = test;
function test(event)
{
  if(event.keyCode == 116)
  {
      ///do anything
   }
}
</script>
 <body onkeyup="test()">
</body>
----------------------------------------------------------

But then therez cntrl + r so even this won't help daveagurav999, the unload event will be fired anywayz.

As per my suggestion the best is the pop up.
But may be some one else could have a concrete idea

If so then do share it..

Regards
Harish(hart)
0
demarcoCommented:
yup didnt think of the forced refresh
0
davegaurav999Author Commented:
For Hart--
Thanks for all your help. Can I trap F5 and Ctrl+R and thus detect Refresh? Is there any other way this can be done (other than programmatically through javascript, of course)? Then I need to account for that also. I am insisting on this because I want to avoid popup. I don't mind popping up a window and showing "You are being logged out....." or something like that but when it is just a page refresh, I don't think it's a good idea. Ideally, I want to check whether it is a refresh or window close BEFORE popping up a window.
0
demarcoCommented:
hmm this is an intresting point ,
and does reflect the issues in regard to using session vars , as I mentioed before using client vars would solve this issue as they are
You migh also Think of bulding a  simple struc

In your app have

<CFIF IsDefined("Client.memberid")>

<cfset Client.UserLastVisit = now()>

<CFLOCK SCOPE="APPLICATION" THROWONTIMEOUT="No" TIMEOUT="10" TYPE="EXCLUSIVE">
<CFPARAM NAME="Application.OnlineUsers" DEFAULT="#StructNew()#">
<CFSET StructInsert(Application.OnlineUsers, Client.memberid, Client.UserLastVisit, True)>
</CFLOCK>


<CFLOCK SCOPE="APPLICATION" THROWONTIMEOUT="No" TIMEOUT="10" TYPE="EXCLUSIVE">

<CFLOOP COLLECTION="#Application.OnlineUsers#" ITEM="aUser">
<CFSET dtLastConnection = StructFind(Application.OnlineUsers, aUser)>

<CFIF DateDiff("h", dtLastConnection, Now()) GTE 4>
<CFSET StructDelete(Application.OnlineUsers, aUser)>
</CFIF>

</CFLOOP>
</CFLOCK>

</CFIF>

Then you have a structure that after login holds your "ONLINE" user  any login can be checked against this and you can use strcu delete or delete cookies on browser close. etc  this will also stop f5 as the user id will exsit in the struc and you can error trap that

 :)

0
demarcoCommented:
As you can see in my above code i also adda simple 4 hour time out
<CFIF DateDiff("h", dtLastConnection, Now()) GTE 4>
<CFSET StructDelete(Application.OnlineUsers, aUser)>
</CFIF>

but this can be left out or alterd if you so require
0
hartCommented:
sorry buddy,

i am not sure how to catch closure in the same window(page).

the main reason why you have a pop up is to catch the closure of the window.

This cannot be put in the same page.

because when the window is closed using the close window button the onunload is fired but it doesn't fire any exception.

For eg:

say if i keep a hidden field in the form and try to access the value every time the onunload event is fired.

It does not give an error even if the browser is closed.
If an exception coul be fired while trying to acces a form lemet only while closing then i would have got the solution, but i don't think it happens.

So the bottom line is i am through..
i don't have any further solutions..

(NB: you could consider the database time difference method specified by me earlier, if u don't want the pop up.)

All the best and hope u get a concrete solution..

Regards
Hart(harish)
0
davegaurav999Author Commented:
Thanks hart.
demarco --
I am already maintaining a list (instead of a structure) of logged in users and their respective login time. I can delete appropriate entries from it when the user logs out by clicking on "Logout". But the problem is that how do I delete the entry from the list when the user just closes the browser (without explicitly logging out)? I am using JSESSIONID which doesn't use any cookies otherwise I can make them expire on browser close. One solution that I could think of was to run a scheduled task every xx minutes and check the login time of every entry in the list and delete entries where login time is before sessiontimeout period. But this is not very efficient as you can see. Also, it leaves a liiiiiiiitle loophole. Is there a better solution?
0
jladams97Commented:
JSESSIONID does use cookies by default although it optionally can work with a browser with cookies turned off but only if you explicitly add it to all of the links in the pages you send to your customer's browsers (the easiest way to do this is with URLSessionFormat).  More info is in my previous posts and also in the CF documentation.  The most basic point you need to understand is that a browser interacting with a server is a stateless system and so without the client browser sending the server an identifier with each request, the server cannot track the client browser.  This identifier has to be sent in one of three ways:  as a URL parameter, as a value from a cookie, or as a form submission.  Since it is unlikely a user will be able to navigate through your site purely by submitting forms, it is unlikely you can track him via an identifier submitted as a form value.  So you then need to use either a URL parameter or a cookie value.  JESSIONID as well as CFID and CFTOKEN can work via either method, but they work via cookies by default.

As to how you delete a user from the list when the client closes the browser:  you can't.  The is due again to the stateless nature of the interaction of the server and the client.  After the server sends a page to the client, the server ceases to know anything about the state of the client until the client next sends a request to the server.  If the client never sends such a request, the server never knows anything definitive about said client.  And that's exactly why session variables timeout--the idea is that if the server doesn't hear something in a certain amount of time, it assumes the client is no longer interacting with it.

The only way that I can think that you might possibly be able to get the client browser to let you know when it closes is if there is some way you can use the OnUnload() event of the <body> tag to fire off a communication to your server.  I honestly haven't read many of the other posts in this thread well enough to know if they've given a way to do this but in my simple testing, the OnUnload() event won't allow the firing off of a communication to the server.  Note that even if you can find a way to accomplish this task, if the user wants to prevent his browser from sending you a notification that his browser has closed, he can easily do that, if only by turning off JavaScript in his browser or even disconnecting his Internet connection.

If you can find a way to fire off a communication to your server when the browser is closed and the user allows that communication to go out, you'll want to somehow send the now closed (or at least closing) browser's JSESSIONID to the server for processing.  You might do that using URL parameters or you might do it as a submission of a form using a hidden for like this one:

<form name="BrowserClosed" action="browserclosed.cfm">
<input type="hidden" name="JSESSIONID" value="#Session.JSESSIONID#">
</form>

Just keep in mind that at best you're going to be able to get an approximation of what you actually want.  What you actually want is a constant, two-way connection on which either party is immediately notified of the connection being broken (for analogy purposes, think of a phone call).  That just doesn't exist between a browser and a server.  I know that's a bad thing for you here but realize that overall it is a very good thing and the system was designed that way on purpose.  The reason?  Much less bandwidth useage!

Josh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
substandCommented:
you could do like a temp logout, where in the "onunload" event, you log them out, and on the load event you log them back in.

this would have the effect of
1) making sure the user is logged out when the browser closes
2) making sure the user is logged out when they leave your app and go to another site.

0
hartCommented:
With all due respect substand your solution could cause hassles.

i don't think i will need to explain how.
Just think about it..

Regards
Hart



0
davegaurav999Author Commented:
Thanks to everyone for helping out. Special regards to demarco and harish.
0
jladams97Commented:
Thanks, davegaurav99, for my first Expert Points!  :)  I appreciate them very much!  :)  I know that the info I gave you wasn't exactly what you wanted to hear but hopefully it did help.

Thanks,
Josh
0
substandCommented:
hart:  not trying to be a smartass, but i can't think of any unless you mean you'd have to put it on every page.. but that would be solved by placing the body tag in the application.cfm file, so i don't think thats what you mean...???

let me know what you are thinking of.
0
demarcoCommented:
Cheers - davegaurav999

It certinaly was an intresting problem
and Im also gald of a workable solution for this as well -- -- cheer jladams97  
0
hartCommented:
no offense substand, but if you are making a person log in then i think he must be doing it using some username and password clarifications.

now as per your solution, you said to log him off temporarily when he refreshes.

onunload you log him off then how are u going to trace who it was onload.. (then again you have to go with temporary flags and all which would be an hassle.)

just think about it..

Also if my comments are in any ways upseting you, then i am sorry..


Regards
Hart
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.