We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

How do I keep Firefox from reopening logged-in sessions?

Medium Priority
513 Views
Last Modified: 2013-12-07
Hello, this is concerning Firefox 3.0.6.

Firefox has three options for startup: you can either start up on your homepage, on a blank page, or on the page you were at last.

I have a password-protected section of a website written in ColdFusion. When the user closes their browser, I want to clear their session, so that when they start up again, they have to log in again.

I use J2EE session variables to facilitate this (set in the CF Administrator). J2EE session vars are supposed to be cleared whenever the user closes the browser (according to ColdFusion documentation).

This works fine if firefox is set to start up on a homepage or blank page. But if you have "show my windows and tabs from last time" selected, you jump right to the password-protected part without any login!

This is a big security hole, can anyone help?

THank yoU!!
Comment
Watch Question

does this happen only until session expiration timeout is reached (sessions on server memory do no expire until the session timeout period after the last request to server), or does it happen after that as well?

Author

Commented:
At least until session timeout is reached. I have not checked later.

Session timeout is 20 minutes. Does this mean that it is not possible to keep the user locked out of the system until those 20 minutes are over? I thought J2EE variables in CF fixed that problem (of logins remaining persistent once user closes browser).
CERTIFIED EXPERT

Commented:
I suspect that it's an issue with your code rather than the session (sorry ;)

if you are exclusivley using jsessionid's, they -will- be destroyed on browser close. Doesn't matter which browser. How are you determining existance of the session? Where you checking for it?



Author

Commented:
When it comes to jsessionids, the only thing I am doing to use them is checking the "J2EE" box in the ColdFusion administrator. Do I need to do something else to use them "exclusively"?

As to determining existence of a session, this is a login session and I handle it with a login scheme using the <cflogin> tag at the start of each page.

Does it matter that, when the user logs in, I name the login fields "Form.username" and "Form.password" instead of "Form.j_username" and "Form.j_password" ?
CERTIFIED EXPERT

Commented:
set

clientmanagement="no"
setclientcookies="no"

in application.cfm so that cfid and cftoken are not set at all

cflogin does -not- use jsessionids so you won't have session end on browser close functionality unless you build it in

might want to read this

http://www.coldfusionjedi.com/index.cfm/2009/1/1/Ask-a-Jedi-cflogout-session-variables-and-the-back-button

Author

Commented:
I hate <cflogin>. When I next rollover through the code, I will stop using it.

I set clientmanagement="no" and setclientcookies="no" . Same problem. I'm wary of doing it anyway since I use client vars to save logins.

But anyway, same issue with Firefox. Any other ideas?


CERTIFIED EXPERT

Commented:


have you tried adding the  idletimeout attribute to the cflogin tag?

ie:
idletimeout="300"

Author

Commented:
Yes, I have

<cflogin idletimeout="1200">


.
CERTIFIED EXPERT

Commented:
<cflogin idletimeout="1200"> will give you a sessiontimeout of 20 minutes. So if you close and reopen the browser within 20 minutes the session will still be active irrespective of browser close (remember cflogin does -not- use jsessionids)

set the idletimeout to 300 which will log out after 5 minutes of inactivity

Author

Commented:
thanks, I just want to make completely sure:

if I use <cflogin>, then I do --not-- use jsessionids, then there is --no-- way to automatically logout on browser close?

This problem has been bugging me in one form or another for 2 years.
CERTIFIED EXPERT

Commented:
i was about to say there is no way..but

"When you use the cfloginuser tag within a cflogin tag, ColdFusion stores a login token in a memory-only browser cookie. Therefore, to use the cflogin tag to check for an authenticated user, the user must enable memory-only cookies in the browser. The login cookie does not lasts after the user closes the browser. "

http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity4.htm

so that might be what you are looking for?

Author

Commented:
the problem here is this sentence:

"The login cookie does not lasts after the user closes the browser. "

In addition to the fact that it's clear that the ColdFusion people don't care enough to proofread their documentation, it says right there: the cookie does not last. So why is it lasting?

And do you know how I tell if I have memory-only cookies enabled?
if your browser accepts cookies, then memory cookies are enabled - they are same cookies as any other, but they are not written to disk as a file and only exist in browser's memory.

i have just tested some old code i had using j2ee sessions and cflogin framework, and sure enough, if i set my FF to start with previously opened windows and tabs, all the secured pages just open up without requiring login...

i believe this is a feature of FF and how it implements it. it seems to persist all cookies, memory-only or not, circumventing any effort on your part to use non-persistent cookies...

i am not aware (yet) of anything that can be done on your part to prevent this...

Azadi

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thank you, I believe that this is a bug that should be reported to Adobe.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.