Go Premium for a chance to win a PS4. Enter to Win


Collecting Ideas: Techniques to recognize if a Session was a) lost or b) just has to be created for a new visitor

Posted on 2004-08-19
Medium Priority
Last Modified: 2013-12-24
Hello there,

well i post this in Cold Fusion but this question is more general about Sessions at all.

If the user visits my website, he gets a new session (CFID+CFTOKEN). then he might log in to the system. his authentication is also kept in the session, if the login was successful. If the user spends to much time in the system, without doing anything, the session will run out and the session information is lost (well, hehe, you probably noticed that these are just some session basics)

now the problem:

if the session ran out, the user must be informed about it, so i must recognize it somehow.
simply to check if a specific session variable is set or not, is not enough, because any use who will visit the site for the first time, would also get a "session timeout" message, but he shouldnt.

My first two ideas:

1) Checking the Referer. If the referer is my site and the session variable which was set at the beginning doesnt exists, he probably lost his session, else he is a new visitor

- Well, but i dont like it. Simply dont like it :) Checking referers is nothing really secure.

2) when the user visits the domain, i set the variable and forward him to a different page. when, on the different page, the variable is not existing anymore, the session was lost, because the new visitor would not access it directly

- Also not a very good technique, because the user might bookmark the "different page" and use it for entry, so i also cannot recognize it clearly

I hope there are another ideas, or maybe even some approved methods?
By the way, i dont want to set Cookies. No Cookie at all. Even no so called "Server Cookies" if possible.

Thanks in Advance

Question by:eclipse2k
  • 4
  • 3
  • 2
  • +1
LVL 17

Expert Comment

ID: 11840349
whats wrong with checking for the session values & if they are expired - redirect the user to a page - that says that the sesions have expired & he need to login again [as a means of security issue]

or have i confused myself & misunderstood ur requirement ?
LVL 11

Expert Comment

ID: 11841072
what we normally do is this....

we have a login page...
and the user puts in his username and password to get in..
And once he is authenticated then session variables are created by using his data from the database...

for eg: <Session.FirstName = "Some Value">

now on each page that is shown after the login page include a cf page on top say CheckSession.cfm

in CheckSession.cfm put this code...
<cfif Not IsDefined(Session.FirstName)>
   Your Session has expired, please <a href="login page">login</a> again...

this is how normally sessions are checked...

Now if a user bookmarks a page that is shown after the login, this check will make him go back to the login page...

And have a tour button on your login page which will help casual users to browse through...


Author Comment

ID: 11842116
to anandkp:
This is right, but if a session variable doesnt exist, then it still doesnt mean that it expired. it simply might just mean that the user just came to the site right at the moment. and this user should not get any messages about an expired session so far.

to hart:
this would work in a "special" area just for logged in users. but The user can be also already logged in on the main page. just like, in a forum for example. when i check for "Not IsDefined(Session.FirstName)" in the main page, then also users who just visit the site would get this message.
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

LVL 17

Expert Comment

ID: 11868855
didnt get u ?

Author Comment

ID: 11872259
ok, will try that step by step....

First Case:
A new User is entering the page. at the moment of this activity (page call of index.cfm for example), his session variables are empty. i want to display him a "welcome!" message.

Second Case:
A User, who was logged in previously, waited for 30minutes while doing nothing and his session expired in the meantime. now he clicks at the "home" button. at the moment of this activity (page call of index.cfm) his session variables are empty. i want to display him a "your session expired" message.

Now the question:
At the moment of the page call activity, how can i recognize which of the both cases do i have?

hope, this is more clear now? :)
LVL 17

Expert Comment

ID: 11878230
Why dont u set the session variables when the user logs in & reaches index.cfm - so that they arent empty.
This way u wont have any issues.
I dont see where ur gettng stuck - the scenario uve mentioned looks pretty much like a normal requirement [unless i am missing something] ...

Author Comment

ID: 11878750
Haha, either i really cant explain it or it is so simple that i dont understand so simple solution :)

questioning back again, a last try on this.

i built a very simple scenario, i hope you can check it out.

<cfapplication name="MYTESTFOREE" clientmanagement="No" sessionmanagement="Yes" setclientcookies="No" sessiontimeout="#createTimeSpan(0,0,1,0)#" applicationtimeout="#CreateTimeSpan(0,0,1,0)#"/>
(the time span is very short just in the example)

Now the case in the Index.cfm is to recognize if the user is new or lost his session:


<cfif isDefined("session.isloggedin")>
  Nice, you are logged in.
  Do something, go somewhere.
  <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&go=somewhere">go somewhere</a>

  You are new! Gonna log you in.
  <cfset session.isloggedin= true/>

  Ok i have logged you in.
  Now go and <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&do=something">do something</a>
  or <a href="index.cfm?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#&something=different">something different</a>
(In the testcase the user is logged in automatically. in fact he needs to send a password.
 the session.isloggedin indicates if the user is logged in currently)

Now the question its all about:
Please change "index.cfm" to output "Your session has expired! Log in again." then, ONLY THEN if i was logged in once before and the session has expired. the new user shouldnt be bothered with such a message.

Thanks In Advance


Accepted Solution

mosphat earned 1000 total points
ID: 12063875
Option 1: To be able to tell whether a session timed out, you have to set a variable somewhere where it will "survive" the session timeout. That is anywhere but the session scope. You could use the application scope, client- or cookie scope (if you use persistent cookies) or a table on the database or even a plain and simple text file.
You store the session ID and timestamp.
Now, whenever you detect a new, empty session, you check whether the session ID is present in that other storage and its timestamp is somewhere between your default session timespan and a couple of hours or whatever is a safe timespan to assume it's a user returning from lunch ;)
Yep, there's the word 'assume', so it's not a waterproof method.

Option 2: Use javascript: setTimeout('aFunction()', x);
x = your session timespan in milliseconds
aFunction = javascript function that does a redirect to the loginpage with an extra flag in the URL that lets you know it was a session timeout.
This way if a user stays on a page long enough for the session to timeout, he/she will be redirected to the login page and you'll have a url.sessionTimedout variable.

Expert Comment

ID: 12064186
As a matter of fact, forget about option 1. The second option is so much easier. Just implemented it in my current project. Works fine.

This is the javascript I used for a session span of 30 minutes:

setTimeout("location.href = '/login/?sessionTimedout=true';", 1800000);

You include it whenever you're not on the login page.

Author Comment

ID: 12072537
Hello Mosphat,

i thought that my question was soooo hard to understand that no one could reply :)
i think, i like Option 1 better, anyway!
the reason is, that the user MIGHT have opened a new window, which is not forbidden, then, one of the two opened window would log out while the user is still working in the second window.

Thanks for your help


Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question