Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 218
  • Last Modified:

Collecting Ideas: Techniques to recognize if a Session was a) lost or b) just has to be created for a new visitor

Hello there,

well i post this in Cold Fusion but this question is more general about Sessions at all.

If the user visits my website, he gets a new session (CFID+CFTOKEN). then he might log in to the system. his authentication is also kept in the session, if the login was successful. If the user spends to much time in the system, without doing anything, the session will run out and the session information is lost (well, hehe, you probably noticed that these are just some session basics)

now the problem:

if the session ran out, the user must be informed about it, so i must recognize it somehow.
simply to check if a specific session variable is set or not, is not enough, because any use who will visit the site for the first time, would also get a "session timeout" message, but he shouldnt.

My first two ideas:

1) Checking the Referer. If the referer is my site and the session variable which was set at the beginning doesnt exists, he probably lost his session, else he is a new visitor

- Well, but i dont like it. Simply dont like it :) Checking referers is nothing really secure.

2) when the user visits the domain, i set the variable and forward him to a different page. when, on the different page, the variable is not existing anymore, the session was lost, because the new visitor would not access it directly

- Also not a very good technique, because the user might bookmark the "different page" and use it for entry, so i also cannot recognize it clearly


I hope there are another ideas, or maybe even some approved methods?
By the way, i dont want to set Cookies. No Cookie at all. Even no so called "Server Cookies" if possible.

Thanks in Advance

eclipse2k
0
eclipse2k
Asked:
eclipse2k
  • 4
  • 3
  • 2
  • +1
1 Solution
 
anandkpCommented:
whats wrong with checking for the session values & if they are expired - redirect the user to a page - that says that the sesions have expired & he need to login again [as a means of security issue]

or have i confused myself & misunderstood ur requirement ?
0
 
hartCommented:
what we normally do is this....

we have a login page...
and the user puts in his username and password to get in..
And once he is authenticated then session variables are created by using his data from the database...

for eg: <Session.FirstName = "Some Value">

now on each page that is shown after the login page include a cf page on top say CheckSession.cfm

in CheckSession.cfm put this code...
<cfif Not IsDefined(Session.FirstName)>
   Your Session has expired, please <a href="login page">login</a> again...
   <cfabort>
</cfif>

this is how normally sessions are checked...

Now if a user bookmarks a page that is shown after the login, this check will make him go back to the login page...

And have a tour button on your login page which will help casual users to browse through...

Regards
Hart
0
 
eclipse2kAuthor Commented:
to anandkp:
This is right, but if a session variable doesnt exist, then it still doesnt mean that it expired. it simply might just mean that the user just came to the site right at the moment. and this user should not get any messages about an expired session so far.

to hart:
this would work in a "special" area just for logged in users. but The user can be also already logged in on the main page. just like, in a forum for example. when i check for "Not IsDefined(Session.FirstName)" in the main page, then also users who just visit the site would get this message.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
anandkpCommented:
didnt get u ?
0
 
eclipse2kAuthor Commented:
ok, will try that step by step....

First Case:
A new User is entering the page. at the moment of this activity (page call of index.cfm for example), his session variables are empty. i want to display him a "welcome!" message.

Second Case:
A User, who was logged in previously, waited for 30minutes while doing nothing and his session expired in the meantime. now he clicks at the "home" button. at the moment of this activity (page call of index.cfm) his session variables are empty. i want to display him a "your session expired" message.

Now the question:
At the moment of the page call activity, how can i recognize which of the both cases do i have?


hope, this is more clear now? :)
thanks!
0
 
anandkpCommented:
Why dont u set the session variables when the user logs in & reaches index.cfm - so that they arent empty.
This way u wont have any issues.
I dont see where ur gettng stuck - the scenario uve mentioned looks pretty much like a normal requirement [unless i am missing something] ...
0
 
eclipse2kAuthor Commented:
Haha, either i really cant explain it or it is so simple that i dont understand so simple solution :)

questioning back again, a last try on this.

i built a very simple scenario, i hope you can check it out.

Application.cfm
=============================
<cfapplication name="MYTESTFOREE" clientmanagement="No" sessionmanagement="Yes" setclientcookies="No" sessiontimeout="#createTimeSpan(0,0,1,0)#" applicationtimeout="#CreateTimeSpan(0,0,1,0)#"/>
=============================
(the time span is very short just in the example)


Now the case in the Index.cfm is to recognize if the user is new or lost his session:

index.cfm
=============================
<html>
<head>
<title>Test</title>
</head>

<body>
<cfif isDefined("session.isloggedin")>
  Nice, you are logged in.
  Do something, go somewhere.
  <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&go=somewhere">go somewhere</a>

<cfelse>
  You are new! Gonna log you in.
  <cfset session.isloggedin= true/>

  Ok i have logged you in.
  Now go and <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&do=something">do something</a>
  or <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&something=different">something different</a>
</cfif>
</body>
</html>
=============================
(In the testcase the user is logged in automatically. in fact he needs to send a password.
 the session.isloggedin indicates if the user is logged in currently)


Now the question its all about:
Please change "index.cfm" to output "Your session has expired! Log in again." then, ONLY THEN if i was logged in once before and the session has expired. the new user shouldnt be bothered with such a message.


Thanks In Advance

0
 
mosphatCommented:
Option 1: To be able to tell whether a session timed out, you have to set a variable somewhere where it will "survive" the session timeout. That is anywhere but the session scope. You could use the application scope, client- or cookie scope (if you use persistent cookies) or a table on the database or even a plain and simple text file.
You store the session ID and timestamp.
Now, whenever you detect a new, empty session, you check whether the session ID is present in that other storage and its timestamp is somewhere between your default session timespan and a couple of hours or whatever is a safe timespan to assume it's a user returning from lunch ;)
Yep, there's the word 'assume', so it's not a waterproof method.

Option 2: Use javascript: setTimeout('aFunction()', x);
x = your session timespan in milliseconds
aFunction = javascript function that does a redirect to the loginpage with an extra flag in the URL that lets you know it was a session timeout.
This way if a user stays on a page long enough for the session to timeout, he/she will be redirected to the login page and you'll have a url.sessionTimedout variable.
0
 
mosphatCommented:
As a matter of fact, forget about option 1. The second option is so much easier. Just implemented it in my current project. Works fine.

This is the javascript I used for a session span of 30 minutes:

setTimeout("location.href = '/login/?sessionTimedout=true';", 1800000);

You include it whenever you're not on the login page.
0
 
eclipse2kAuthor Commented:
Hello Mosphat,

i thought that my question was soooo hard to understand that no one could reply :)
i think, i like Option 1 better, anyway!
the reason is, that the user MIGHT have opened a new window, which is not forbidden, then, one of the two opened window would log out while the user is still working in the second window.

Thanks for your help

eclipse2k
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now