How do I clear session and application variables in Coldfusion 8 when a user browses to another website or pushes the "back" button until she leaves the site completely?

onApplicationStart fires once, and that's when the application starts.  i.e. if you restart your CF server, onApplicationStart would fire at the next .cfm request.  Then it wouldn't fire again until the next time you restart CF server.  

Take a look at onSessionEnd instead.  This method fires automatically when a user's session times out.  However I'm not sure that's what you want to do... it's very hard to determine when a user leaves your site.
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=AppEvents_11.html

Is there a way to capture whether the user browses to another site with javascript or something similar?

Not that I know of.  Ray Camden and Ben Nadel are probably the two best CF bloggers to read up on this sort of stuff.

You do not want to clear application variables when a user navigates away.   Application scoped variables are shared by all users.  If you clear them, you clear them for everyone.

The session variables will automatically clear after the session timeout period has passed.    Once the user navigates away from the site, the session will count down the timeout.

If you really need to clear the session variable navigating away from the site, you would have to track the move via javascript and then use ajax to contact the server.  Alternatively, you could clear the CFID and CFTOKEN cookies using javascript, that would orphan the session...

What is your objective?  Perhaps we approach it from what you are trying to accomplish...

Once a user logs in, their data is displayed using a session variable called providerid. I dont want the user to be able to leave the site and then come back in and still be logged in before the timeout period has expired. I have the app set up already to when they arent authenticated they are redirected to the login page. I want their permissions to expire instantaneously once they browse to another website. I do not know how to code this using ajax or javascript.

i've read up on this a bit more and see that even on unload (which actually fires at the end of every page)  there is no way to know where the user is going next.   This is built into the browsers for privacy, you can't tell if they are going to your page or another site.

So, the only way to do this is not at all desireable.   Putting a variable on your URL (in every link and every form post) so you have some type of hash or identifier that corresponds with the users current session.  But NOT the session ID itself for security reasons.   If the user leaves the site and navigates back to the site the hash would no longer be on the URL and then you can force the session to end on that validation test.   But if the user clicks BACK button to return to your site, the hash would still be on your URL and it will not end the session.

This method would also make bookmarking the pages of your site impossible because the hash saved in the book mark would be invalid when returning later.  

In short,  a lot of work/code for an unreliable solution

Ok. So your first recommendation would not work? Clearing the CFID and CFTOKEN cookies using javascript, that would orphan the session?

It would orphan the session, however, the problem is how do you know when to do it?

You cannot detect when the user is leaving the site, so you cannot know when to clear the cookies.

Therefore, although you can orphan the session, you can't tell when to do it..

Ok one more thing. Someone mentioned possibly adding a structDelete(session) in the onRequestStart method in the application.cfc using a HTTP REFER CGI variable. If the url is not my website it could clear the session. Would this be possible and if so how can i code that?

the structure delete would certainly clear the session variables as you'd like them to.   The problem is still when to execute that statement.

OnRequestStart fires at the beginning of a page request , but at the beginning of a request OF YOUR SITE.   It cannot fire when loading the page of a different domain, because, well, it's not your website.  You can't run code on your website when another website is loading in the user's browser.

Using the cgi referrer variable tells you where the user came from, not where he is going (leaving).  So you know how the user got to you, you don't know where he's going when he leaves...

That makes sense. So then since the http refer tells where he is coming from, having the session cleared if that url isnt my site sounds like it would work since it is loaded when the user browses and loads a page on my site. If  the user leaves my site and then comes back, and a session is still live in the browser from the previous visit, the onRequestStart is fired on the request of my site page and it seems that it would clear the session. Or I must still be missing something.

right, i didn't think of it that way.   You can kill the session when returning to your page instead of when leaving.  You can't end the session when they leave, but you can end the session when they return.   Depending on your intent, I guess that could be the same thing (or close enough).

That wouldn't really help you when they click the BACK button though.

If you do it this way, you don't have to do anything so drastic as clear the CFID and CFTOKEN, you could simply change your variables to log them out or clear the session variables.  

Alright, well thats good enough for me. I'll deal with the back button issue later.  Up to this point i'm not sure how to code the onRequestStart function using the HTTP REFER cgi in this way. Could you possibly give me some example code?

sure.. you need to be using application.cfc (instead of application.cfm)  

If you're using application.cfm, you just just put the CFIF into your application.cfm file (without the onrequeststart function)

cgi.HTTP_REFERER  - contains the full path of the URL before your page
   ( http://www.google.com/?q=good+%20%Stuff&sdlfk=1&that=dskl )

cgi.HTTP_HOST - contains the domain name on your page
   ( www.mySite.com  or   mySite.com   or   admin.mySite.com  )

So it's testing if the referrer contains your current domain...

Note that if you have different subdomains on your site  (admin.mySite.com and www.mySite.com ) this code will cause the user to login between subdomains and would have to be tweaked..

 <cffunction name="onRequestStart" returnType="boolean" output="Yes">
   <cfargument name="requestname" required=true/>
 
   <cfif NOT cgi.HTTP_REFERER contains cgi.HTTP_HOST>
      <cfset session.loggedIn = false>
   </cfif>
  
 </cffunction

Select allOpen in new window

Cool. Looks like we're getting there. So does this code need a <cfreturn> tag? If so, what does it return? the requestname? I tried that as well but I'm still getting this error...

The value returned from the onRequestStart function is not of type boolean.

If the component name is specified as a return type, its possible that a definition file for the component cannot be found or is not accessible.

Yes! It worked when i used structClear(session) instead of . For some reason Coldfusion didn't recognize the loggedIn portion. Thank you very much for your help.



   
 
   
     
   
 
 
 
 

<cfset session.loggedIn = false>

This was intended to be an example, just trying to mimic whatever variables you actually use in your session that would log-off the user...

 There is no predefined loggedIn variable..


Glad you're all set !