Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Collecting Ideas: Techniques to recognize if a Session was a) lost or b) just has to be created for a new visitor

Posted on 2004-08-19
Medium Priority
Last Modified: 2013-12-24
Hello there,

well i post this in Cold Fusion but this question is more general about Sessions at all.

If the user visits my website, he gets a new session (CFID+CFTOKEN). then he might log in to the system. his authentication is also kept in the session, if the login was successful. If the user spends to much time in the system, without doing anything, the session will run out and the session information is lost (well, hehe, you probably noticed that these are just some session basics)

now the problem:

if the session ran out, the user must be informed about it, so i must recognize it somehow.
simply to check if a specific session variable is set or not, is not enough, because any use who will visit the site for the first time, would also get a "session timeout" message, but he shouldnt.

My first two ideas:

1) Checking the Referer. If the referer is my site and the session variable which was set at the beginning doesnt exists, he probably lost his session, else he is a new visitor

- Well, but i dont like it. Simply dont like it :) Checking referers is nothing really secure.

2) when the user visits the domain, i set the variable and forward him to a different page. when, on the different page, the variable is not existing anymore, the session was lost, because the new visitor would not access it directly

- Also not a very good technique, because the user might bookmark the "different page" and use it for entry, so i also cannot recognize it clearly

I hope there are another ideas, or maybe even some approved methods?
By the way, i dont want to set Cookies. No Cookie at all. Even no so called "Server Cookies" if possible.

Thanks in Advance

Question by:eclipse2k
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 17

Expert Comment

ID: 11840349
whats wrong with checking for the session values & if they are expired - redirect the user to a page - that says that the sesions have expired & he need to login again [as a means of security issue]

or have i confused myself & misunderstood ur requirement ?
LVL 11

Expert Comment

ID: 11841072
what we normally do is this....

we have a login page...
and the user puts in his username and password to get in..
And once he is authenticated then session variables are created by using his data from the database...

for eg: <Session.FirstName = "Some Value">

now on each page that is shown after the login page include a cf page on top say CheckSession.cfm

in CheckSession.cfm put this code...
<cfif Not IsDefined(Session.FirstName)>
   Your Session has expired, please <a href="login page">login</a> again...

this is how normally sessions are checked...

Now if a user bookmarks a page that is shown after the login, this check will make him go back to the login page...

And have a tour button on your login page which will help casual users to browse through...


Author Comment

ID: 11842116
to anandkp:
This is right, but if a session variable doesnt exist, then it still doesnt mean that it expired. it simply might just mean that the user just came to the site right at the moment. and this user should not get any messages about an expired session so far.

to hart:
this would work in a "special" area just for logged in users. but The user can be also already logged in on the main page. just like, in a forum for example. when i check for "Not IsDefined(Session.FirstName)" in the main page, then also users who just visit the site would get this message.
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

LVL 17

Expert Comment

ID: 11868855
didnt get u ?

Author Comment

ID: 11872259
ok, will try that step by step....

First Case:
A new User is entering the page. at the moment of this activity (page call of index.cfm for example), his session variables are empty. i want to display him a "welcome!" message.

Second Case:
A User, who was logged in previously, waited for 30minutes while doing nothing and his session expired in the meantime. now he clicks at the "home" button. at the moment of this activity (page call of index.cfm) his session variables are empty. i want to display him a "your session expired" message.

Now the question:
At the moment of the page call activity, how can i recognize which of the both cases do i have?

hope, this is more clear now? :)
LVL 17

Expert Comment

ID: 11878230
Why dont u set the session variables when the user logs in & reaches index.cfm - so that they arent empty.
This way u wont have any issues.
I dont see where ur gettng stuck - the scenario uve mentioned looks pretty much like a normal requirement [unless i am missing something] ...

Author Comment

ID: 11878750
Haha, either i really cant explain it or it is so simple that i dont understand so simple solution :)

questioning back again, a last try on this.

i built a very simple scenario, i hope you can check it out.

<cfapplication name="MYTESTFOREE" clientmanagement="No" sessionmanagement="Yes" setclientcookies="No" sessiontimeout="#createTimeSpan(0,0,1,0)#" applicationtimeout="#CreateTimeSpan(0,0,1,0)#"/>
(the time span is very short just in the example)

Now the case in the Index.cfm is to recognize if the user is new or lost his session:


<cfif isDefined("session.isloggedin")>
  Nice, you are logged in.
  Do something, go somewhere.
  <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&go=somewhere">go somewhere</a>

  You are new! Gonna log you in.
  <cfset session.isloggedin= true/>

  Ok i have logged you in.
  Now go and <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&do=something">do something</a>
  or <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&something=different">something different</a>
(In the testcase the user is logged in automatically. in fact he needs to send a password.
 the session.isloggedin indicates if the user is logged in currently)

Now the question its all about:
Please change "index.cfm" to output "Your session has expired! Log in again." then, ONLY THEN if i was logged in once before and the session has expired. the new user shouldnt be bothered with such a message.

Thanks In Advance


Accepted Solution

mosphat earned 1000 total points
ID: 12063875
Option 1: To be able to tell whether a session timed out, you have to set a variable somewhere where it will "survive" the session timeout. That is anywhere but the session scope. You could use the application scope, client- or cookie scope (if you use persistent cookies) or a table on the database or even a plain and simple text file.
You store the session ID and timestamp.
Now, whenever you detect a new, empty session, you check whether the session ID is present in that other storage and its timestamp is somewhere between your default session timespan and a couple of hours or whatever is a safe timespan to assume it's a user returning from lunch ;)
Yep, there's the word 'assume', so it's not a waterproof method.

Option 2: Use javascript: setTimeout('aFunction()', x);
x = your session timespan in milliseconds
aFunction = javascript function that does a redirect to the loginpage with an extra flag in the URL that lets you know it was a session timeout.
This way if a user stays on a page long enough for the session to timeout, he/she will be redirected to the login page and you'll have a url.sessionTimedout variable.

Expert Comment

ID: 12064186
As a matter of fact, forget about option 1. The second option is so much easier. Just implemented it in my current project. Works fine.

This is the javascript I used for a session span of 30 minutes:

setTimeout("location.href = '/login/?sessionTimedout=true';", 1800000);

You include it whenever you're not on the login page.

Author Comment

ID: 12072537
Hello Mosphat,

i thought that my question was soooo hard to understand that no one could reply :)
i think, i like Option 1 better, anyway!
the reason is, that the user MIGHT have opened a new window, which is not forbidden, then, one of the two opened window would log out while the user is still working in the second window.

Thanks for your help


Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question