Collecting Ideas: Techniques to recognize if a Session was a) lost or b) just has to be created for a new visitor

Posted on 2004-08-19
Last Modified: 2013-12-24
Hello there,

well i post this in Cold Fusion but this question is more general about Sessions at all.

If the user visits my website, he gets a new session (CFID+CFTOKEN). then he might log in to the system. his authentication is also kept in the session, if the login was successful. If the user spends to much time in the system, without doing anything, the session will run out and the session information is lost (well, hehe, you probably noticed that these are just some session basics)

now the problem:

if the session ran out, the user must be informed about it, so i must recognize it somehow.
simply to check if a specific session variable is set or not, is not enough, because any use who will visit the site for the first time, would also get a "session timeout" message, but he shouldnt.

My first two ideas:

1) Checking the Referer. If the referer is my site and the session variable which was set at the beginning doesnt exists, he probably lost his session, else he is a new visitor

- Well, but i dont like it. Simply dont like it :) Checking referers is nothing really secure.

2) when the user visits the domain, i set the variable and forward him to a different page. when, on the different page, the variable is not existing anymore, the session was lost, because the new visitor would not access it directly

- Also not a very good technique, because the user might bookmark the "different page" and use it for entry, so i also cannot recognize it clearly

I hope there are another ideas, or maybe even some approved methods?
By the way, i dont want to set Cookies. No Cookie at all. Even no so called "Server Cookies" if possible.

Thanks in Advance

Question by:eclipse2k
  • 4
  • 3
  • 2
  • +1
LVL 17

Expert Comment

Comment Utility
whats wrong with checking for the session values & if they are expired - redirect the user to a page - that says that the sesions have expired & he need to login again [as a means of security issue]

or have i confused myself & misunderstood ur requirement ?
LVL 11

Expert Comment

Comment Utility
what we normally do is this....

we have a login page...
and the user puts in his username and password to get in..
And once he is authenticated then session variables are created by using his data from the database...

for eg: <Session.FirstName = "Some Value">

now on each page that is shown after the login page include a cf page on top say CheckSession.cfm

in CheckSession.cfm put this code...
<cfif Not IsDefined(Session.FirstName)>
   Your Session has expired, please <a href="login page">login</a> again...

this is how normally sessions are checked...

Now if a user bookmarks a page that is shown after the login, this check will make him go back to the login page...

And have a tour button on your login page which will help casual users to browse through...


Author Comment

Comment Utility
to anandkp:
This is right, but if a session variable doesnt exist, then it still doesnt mean that it expired. it simply might just mean that the user just came to the site right at the moment. and this user should not get any messages about an expired session so far.

to hart:
this would work in a "special" area just for logged in users. but The user can be also already logged in on the main page. just like, in a forum for example. when i check for "Not IsDefined(Session.FirstName)" in the main page, then also users who just visit the site would get this message.
LVL 17

Expert Comment

Comment Utility
didnt get u ?

Author Comment

Comment Utility
ok, will try that step by step....

First Case:
A new User is entering the page. at the moment of this activity (page call of index.cfm for example), his session variables are empty. i want to display him a "welcome!" message.

Second Case:
A User, who was logged in previously, waited for 30minutes while doing nothing and his session expired in the meantime. now he clicks at the "home" button. at the moment of this activity (page call of index.cfm) his session variables are empty. i want to display him a "your session expired" message.

Now the question:
At the moment of the page call activity, how can i recognize which of the both cases do i have?

hope, this is more clear now? :)
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

LVL 17

Expert Comment

Comment Utility
Why dont u set the session variables when the user logs in & reaches index.cfm - so that they arent empty.
This way u wont have any issues.
I dont see where ur gettng stuck - the scenario uve mentioned looks pretty much like a normal requirement [unless i am missing something] ...

Author Comment

Comment Utility
Haha, either i really cant explain it or it is so simple that i dont understand so simple solution :)

questioning back again, a last try on this.

i built a very simple scenario, i hope you can check it out.

<cfapplication name="MYTESTFOREE" clientmanagement="No" sessionmanagement="Yes" setclientcookies="No" sessiontimeout="#createTimeSpan(0,0,1,0)#" applicationtimeout="#CreateTimeSpan(0,0,1,0)#"/>
(the time span is very short just in the example)

Now the case in the Index.cfm is to recognize if the user is new or lost his session:


<cfif isDefined("session.isloggedin")>
  Nice, you are logged in.
  Do something, go somewhere.
  <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&go=somewhere">go somewhere</a>

  You are new! Gonna log you in.
  <cfset session.isloggedin= true/>

  Ok i have logged you in.
  Now go and <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&do=something">do something</a>
  or <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&something=different">something different</a>
(In the testcase the user is logged in automatically. in fact he needs to send a password.
 the session.isloggedin indicates if the user is logged in currently)

Now the question its all about:
Please change "index.cfm" to output "Your session has expired! Log in again." then, ONLY THEN if i was logged in once before and the session has expired. the new user shouldnt be bothered with such a message.

Thanks In Advance


Accepted Solution

mosphat earned 250 total points
Comment Utility
Option 1: To be able to tell whether a session timed out, you have to set a variable somewhere where it will "survive" the session timeout. That is anywhere but the session scope. You could use the application scope, client- or cookie scope (if you use persistent cookies) or a table on the database or even a plain and simple text file.
You store the session ID and timestamp.
Now, whenever you detect a new, empty session, you check whether the session ID is present in that other storage and its timestamp is somewhere between your default session timespan and a couple of hours or whatever is a safe timespan to assume it's a user returning from lunch ;)
Yep, there's the word 'assume', so it's not a waterproof method.

Option 2: Use javascript: setTimeout('aFunction()', x);
x = your session timespan in milliseconds
aFunction = javascript function that does a redirect to the loginpage with an extra flag in the URL that lets you know it was a session timeout.
This way if a user stays on a page long enough for the session to timeout, he/she will be redirected to the login page and you'll have a url.sessionTimedout variable.

Expert Comment

Comment Utility
As a matter of fact, forget about option 1. The second option is so much easier. Just implemented it in my current project. Works fine.

This is the javascript I used for a session span of 30 minutes:

setTimeout("location.href = '/login/?sessionTimedout=true';", 1800000);

You include it whenever you're not on the login page.

Author Comment

Comment Utility
Hello Mosphat,

i thought that my question was soooo hard to understand that no one could reply :)
i think, i like Option 1 better, anyway!
the reason is, that the user MIGHT have opened a new window, which is not forbidden, then, one of the two opened window would log out while the user is still working in the second window.

Thanks for your help


Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

A web service ( is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now