?
Solved

How do I keep Firefox from reopening logged-in sessions?

Posted on 2009-02-10
14
Medium Priority
?
491 Views
Last Modified: 2013-12-07
Hello, this is concerning Firefox 3.0.6.

Firefox has three options for startup: you can either start up on your homepage, on a blank page, or on the page you were at last.

I have a password-protected section of a website written in ColdFusion. When the user closes their browser, I want to clear their session, so that when they start up again, they have to log in again.

I use J2EE session variables to facilitate this (set in the CF Administrator). J2EE session vars are supposed to be cleared whenever the user closes the browser (according to ColdFusion documentation).

This works fine if firefox is set to start up on a homepage or blank page. But if you have "show my windows and tabs from last time" selected, you jump right to the password-protected part without any login!

This is a big security hole, can anyone help?

THank yoU!!
0
Comment
Question by:masterorb
  • 7
  • 5
  • 2
14 Comments
 
LVL 27

Expert Comment

by:azadisaryev
ID: 23598923
does this happen only until session expiration timeout is reached (sessions on server memory do no expire until the session timeout period after the last request to server), or does it happen after that as well?
0
 

Author Comment

by:masterorb
ID: 23598960
At least until session timeout is reached. I have not checked later.

Session timeout is 20 minutes. Does this mean that it is not possible to keep the user locked out of the system until those 20 minutes are over? I thought J2EE variables in CF fixed that problem (of logins remaining persistent once user closes browser).
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 23600678
I suspect that it's an issue with your code rather than the session (sorry ;)

if you are exclusivley using jsessionid's, they -will- be destroyed on browser close. Doesn't matter which browser. How are you determining existance of the session? Where you checking for it?



0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:masterorb
ID: 23602579
When it comes to jsessionids, the only thing I am doing to use them is checking the "J2EE" box in the ColdFusion administrator. Do I need to do something else to use them "exclusively"?

As to determining existence of a session, this is a login session and I handle it with a login scheme using the <cflogin> tag at the start of each page.

Does it matter that, when the user logs in, I name the login fields "Form.username" and "Form.password" instead of "Form.j_username" and "Form.j_password" ?
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 23602790
set

clientmanagement="no"
setclientcookies="no"

in application.cfm so that cfid and cftoken are not set at all

cflogin does -not- use jsessionids so you won't have session end on browser close functionality unless you build it in

might want to read this

http://www.coldfusionjedi.com/index.cfm/2009/1/1/Ask-a-Jedi-cflogout-session-variables-and-the-back-button

0
 

Author Comment

by:masterorb
ID: 23648985
I hate <cflogin>. When I next rollover through the code, I will stop using it.

I set clientmanagement="no" and setclientcookies="no" . Same problem. I'm wary of doing it anyway since I use client vars to save logins.

But anyway, same issue with Firefox. Any other ideas?


0
 
LVL 36

Expert Comment

by:SidFishes
ID: 23651176


have you tried adding the  idletimeout attribute to the cflogin tag?

ie:
idletimeout="300"

0
 

Author Comment

by:masterorb
ID: 23668630
Yes, I have

<cflogin idletimeout="1200">


.
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 23672588
<cflogin idletimeout="1200"> will give you a sessiontimeout of 20 minutes. So if you close and reopen the browser within 20 minutes the session will still be active irrespective of browser close (remember cflogin does -not- use jsessionids)

set the idletimeout to 300 which will log out after 5 minutes of inactivity
0
 

Author Comment

by:masterorb
ID: 23906956
thanks, I just want to make completely sure:

if I use <cflogin>, then I do --not-- use jsessionids, then there is --no-- way to automatically logout on browser close?

This problem has been bugging me in one form or another for 2 years.
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 23914270
i was about to say there is no way..but

"When you use the cfloginuser tag within a cflogin tag, ColdFusion stores a login token in a memory-only browser cookie. Therefore, to use the cflogin tag to check for an authenticated user, the user must enable memory-only cookies in the browser. The login cookie does not lasts after the user closes the browser. "

http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity4.htm

so that might be what you are looking for?
0
 

Author Comment

by:masterorb
ID: 23921473
the problem here is this sentence:

"The login cookie does not lasts after the user closes the browser. "

In addition to the fact that it's clear that the ColdFusion people don't care enough to proofread their documentation, it says right there: the cookie does not last. So why is it lasting?

And do you know how I tell if I have memory-only cookies enabled?
0
 
LVL 27

Accepted Solution

by:
azadisaryev earned 2000 total points
ID: 23925631
if your browser accepts cookies, then memory cookies are enabled - they are same cookies as any other, but they are not written to disk as a file and only exist in browser's memory.

i have just tested some old code i had using j2ee sessions and cflogin framework, and sure enough, if i set my FF to start with previously opened windows and tabs, all the secured pages just open up without requiring login...

i believe this is a feature of FF and how it implements it. it seems to persist all cookies, memory-only or not, circumventing any effort on your part to use non-persistent cookies...

i am not aware (yet) of anything that can be done on your part to prevent this...

Azadi
0
 

Author Closing Comment

by:masterorb
ID: 31544933
Thank you, I believe that this is a bug that should be reported to Adobe.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question