Collecting Ideas: Techniques to recognize if a Session was a) lost or b) just has to be created for a new visitor

Posted on 2004-08-19
Last Modified: 2013-12-24
Hello there,

well i post this in Cold Fusion but this question is more general about Sessions at all.

If the user visits my website, he gets a new session (CFID+CFTOKEN). then he might log in to the system. his authentication is also kept in the session, if the login was successful. If the user spends to much time in the system, without doing anything, the session will run out and the session information is lost (well, hehe, you probably noticed that these are just some session basics)

now the problem:

if the session ran out, the user must be informed about it, so i must recognize it somehow.
simply to check if a specific session variable is set or not, is not enough, because any use who will visit the site for the first time, would also get a "session timeout" message, but he shouldnt.

My first two ideas:

1) Checking the Referer. If the referer is my site and the session variable which was set at the beginning doesnt exists, he probably lost his session, else he is a new visitor

- Well, but i dont like it. Simply dont like it :) Checking referers is nothing really secure.

2) when the user visits the domain, i set the variable and forward him to a different page. when, on the different page, the variable is not existing anymore, the session was lost, because the new visitor would not access it directly

- Also not a very good technique, because the user might bookmark the "different page" and use it for entry, so i also cannot recognize it clearly

I hope there are another ideas, or maybe even some approved methods?
By the way, i dont want to set Cookies. No Cookie at all. Even no so called "Server Cookies" if possible.

Thanks in Advance

Question by:eclipse2k
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 17

Expert Comment

ID: 11840349
whats wrong with checking for the session values & if they are expired - redirect the user to a page - that says that the sesions have expired & he need to login again [as a means of security issue]

or have i confused myself & misunderstood ur requirement ?
LVL 11

Expert Comment

ID: 11841072
what we normally do is this....

we have a login page...
and the user puts in his username and password to get in..
And once he is authenticated then session variables are created by using his data from the database...

for eg: <Session.FirstName = "Some Value">

now on each page that is shown after the login page include a cf page on top say CheckSession.cfm

in CheckSession.cfm put this code...
<cfif Not IsDefined(Session.FirstName)>
   Your Session has expired, please <a href="login page">login</a> again...

this is how normally sessions are checked...

Now if a user bookmarks a page that is shown after the login, this check will make him go back to the login page...

And have a tour button on your login page which will help casual users to browse through...


Author Comment

ID: 11842116
to anandkp:
This is right, but if a session variable doesnt exist, then it still doesnt mean that it expired. it simply might just mean that the user just came to the site right at the moment. and this user should not get any messages about an expired session so far.

to hart:
this would work in a "special" area just for logged in users. but The user can be also already logged in on the main page. just like, in a forum for example. when i check for "Not IsDefined(Session.FirstName)" in the main page, then also users who just visit the site would get this message.
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

LVL 17

Expert Comment

ID: 11868855
didnt get u ?

Author Comment

ID: 11872259
ok, will try that step by step....

First Case:
A new User is entering the page. at the moment of this activity (page call of index.cfm for example), his session variables are empty. i want to display him a "welcome!" message.

Second Case:
A User, who was logged in previously, waited for 30minutes while doing nothing and his session expired in the meantime. now he clicks at the "home" button. at the moment of this activity (page call of index.cfm) his session variables are empty. i want to display him a "your session expired" message.

Now the question:
At the moment of the page call activity, how can i recognize which of the both cases do i have?

hope, this is more clear now? :)
LVL 17

Expert Comment

ID: 11878230
Why dont u set the session variables when the user logs in & reaches index.cfm - so that they arent empty.
This way u wont have any issues.
I dont see where ur gettng stuck - the scenario uve mentioned looks pretty much like a normal requirement [unless i am missing something] ...

Author Comment

ID: 11878750
Haha, either i really cant explain it or it is so simple that i dont understand so simple solution :)

questioning back again, a last try on this.

i built a very simple scenario, i hope you can check it out.

<cfapplication name="MYTESTFOREE" clientmanagement="No" sessionmanagement="Yes" setclientcookies="No" sessiontimeout="#createTimeSpan(0,0,1,0)#" applicationtimeout="#CreateTimeSpan(0,0,1,0)#"/>
(the time span is very short just in the example)

Now the case in the Index.cfm is to recognize if the user is new or lost his session:


<cfif isDefined("session.isloggedin")>
  Nice, you are logged in.
  Do something, go somewhere.
  <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&go=somewhere">go somewhere</a>

  You are new! Gonna log you in.
  <cfset session.isloggedin= true/>

  Ok i have logged you in.
  Now go and <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&do=something">do something</a>
  or <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&something=different">something different</a>
(In the testcase the user is logged in automatically. in fact he needs to send a password.
 the session.isloggedin indicates if the user is logged in currently)

Now the question its all about:
Please change "index.cfm" to output "Your session has expired! Log in again." then, ONLY THEN if i was logged in once before and the session has expired. the new user shouldnt be bothered with such a message.

Thanks In Advance


Accepted Solution

mosphat earned 250 total points
ID: 12063875
Option 1: To be able to tell whether a session timed out, you have to set a variable somewhere where it will "survive" the session timeout. That is anywhere but the session scope. You could use the application scope, client- or cookie scope (if you use persistent cookies) or a table on the database or even a plain and simple text file.
You store the session ID and timestamp.
Now, whenever you detect a new, empty session, you check whether the session ID is present in that other storage and its timestamp is somewhere between your default session timespan and a couple of hours or whatever is a safe timespan to assume it's a user returning from lunch ;)
Yep, there's the word 'assume', so it's not a waterproof method.

Option 2: Use javascript: setTimeout('aFunction()', x);
x = your session timespan in milliseconds
aFunction = javascript function that does a redirect to the loginpage with an extra flag in the URL that lets you know it was a session timeout.
This way if a user stays on a page long enough for the session to timeout, he/she will be redirected to the login page and you'll have a url.sessionTimedout variable.

Expert Comment

ID: 12064186
As a matter of fact, forget about option 1. The second option is so much easier. Just implemented it in my current project. Works fine.

This is the javascript I used for a session span of 30 minutes:

setTimeout("location.href = '/login/?sessionTimedout=true';", 1800000);

You include it whenever you're not on the login page.

Author Comment

ID: 12072537
Hello Mosphat,

i thought that my question was soooo hard to understand that no one could reply :)
i think, i like Option 1 better, anyway!
the reason is, that the user MIGHT have opened a new window, which is not forbidden, then, one of the two opened window would log out while the user is still working in the second window.

Thanks for your help


Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question