Solved

How do I clear session and application variables in Coldfusion 8 when a user browses to another website or pushes the "back" button until she leaves the site completely?

Posted on 2009-04-03
18
1,770 Views
Last Modified: 2013-12-24
How do I clear session and application variables in Coldfusion 8 when a user browses to another website or pushes the "back" button until she leaves my website completely? I have tried several methods but im sure my code is not correct in application.cfc file. I tried the structClear(session) method in the "onApplicationStart" function with no luck. Any help at all would be great. Thanks
0
Comment
Question by:rarid122481
  • 8
  • 8
  • 2
18 Comments
 
LVL 16

Expert Comment

by:duncancumming
Comment Utility
onApplicationStart fires once, and that's when the application starts.  i.e. if you restart your CF server, onApplicationStart would fire at the next .cfm request.  Then it wouldn't fire again until the next time you restart CF server.  

Take a look at onSessionEnd instead.  This method fires automatically when a user's session times out.  However I'm not sure that's what you want to do... it's very hard to determine when a user leaves your site.
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=AppEvents_11.html


0
 

Author Comment

by:rarid122481
Comment Utility
Is there a way to capture whether the user browses to another site with javascript or something similar?
0
 
LVL 16

Expert Comment

by:duncancumming
Comment Utility
Not that I know of.  Ray Camden and Ben Nadel are probably the two best CF bloggers to read up on this sort of stuff.

0
 
LVL 39

Expert Comment

by:gdemaria
Comment Utility
You do not want to clear application variables when a user navigates away.   Application scoped variables are shared by all users.  If you clear them, you clear them for everyone.

The session variables will automatically clear after the session timeout period has passed.    Once the user navigates away from the site, the session will count down the timeout.

If you really need to clear the session variable navigating away from the site, you would have to track the move via javascript and then use ajax to contact the server.  Alternatively, you could clear the CFID and CFTOKEN cookies using javascript, that would orphan the session...

What is your objective?  Perhaps we approach it from what you are trying to accomplish...




0
 

Author Comment

by:rarid122481
Comment Utility
Once a user logs in, their data is displayed using a session variable called providerid. I dont want the user to be able to leave the site and then come back in and still be logged in before the timeout period has expired. I have the app set up already to when they arent authenticated they are redirected to the login page. I want their permissions to expire instantaneously once they browse to another website. I do not know how to code this using ajax or javascript.
0
 
LVL 39

Expert Comment

by:gdemaria
Comment Utility
i've read up on this a bit more and see that even on unload (which actually fires at the end of every page)  there is no way to know where the user is going next.   This is built into the browsers for privacy, you can't tell if they are going to your page or another site.

So, the only way to do this is not at all desireable.   Putting a variable on your URL (in every link and every form post) so you have some type of hash or identifier that corresponds with the users current session.  But NOT the session ID itself for security reasons.   If the user leaves the site and navigates back to the site the hash would no longer be on the URL and then you can force the session to end on that validation test.   But if the user clicks BACK button to return to your site, the hash would still be on your URL and it will not end the session.

This method would also make bookmarking the pages of your site impossible because the hash saved in the book mark would be invalid when returning later.  

In short,  a lot of work/code for an unreliable solution
0
 

Author Comment

by:rarid122481
Comment Utility
Ok. So your first recommendation would not work? Clearing the CFID and CFTOKEN cookies using javascript, that would orphan the session?
0
 
LVL 39

Expert Comment

by:gdemaria
Comment Utility
It would orphan the session, however, the problem is how do you know when to do it?

You cannot detect when the user is leaving the site, so you cannot know when to clear the cookies.

Therefore, although you can orphan the session, you can't tell when to do it..
0
 

Author Comment

by:rarid122481
Comment Utility
Ok one more thing. Someone mentioned possibly adding a structDelete(session) in the onRequestStart method in the application.cfc using a HTTP REFER CGI variable. If the url is not my website it could clear the session. Would this be possible and if so how can i code that?
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 
LVL 39

Expert Comment

by:gdemaria
Comment Utility
the structure delete would certainly clear the session variables as you'd like them to.   The problem is still when to execute that statement.

OnRequestStart fires at the beginning of a page request , but at the beginning of a request OF YOUR SITE.   It cannot fire when loading the page of a different domain, because, well, it's not your website.  You can't run code on your website when another website is loading in the user's browser.

Using the cgi referrer variable tells you where the user came from, not where he is going (leaving).  So you know how the user got to you, you don't know where he's going when he leaves...

0
 

Author Comment

by:rarid122481
Comment Utility
That makes sense. So then since the http refer tells where he is coming from, having the session cleared if that url isnt my site sounds like it would work since it is loaded when the user browses and loads a page on my site. If  the user leaves my site and then comes back, and a session is still live in the browser from the previous visit, the onRequestStart is fired on the request of my site page and it seems that it would clear the session. Or I must still be missing something.
0
 
LVL 39

Expert Comment

by:gdemaria
Comment Utility
right, i didn't think of it that way.   You can kill the session when returning to your page instead of when leaving.  You can't end the session when they leave, but you can end the session when they return.   Depending on your intent, I guess that could be the same thing (or close enough).

That wouldn't really help you when they click the BACK button though.

If you do it this way, you don't have to do anything so drastic as clear the CFID and CFTOKEN, you could simply change your variables to log them out or clear the session variables.  
0
 

Author Comment

by:rarid122481
Comment Utility
Alright, well thats good enough for me. I'll deal with the back button issue later.  Up to this point i'm not sure how to code the onRequestStart function using the HTTP REFER cgi in this way. Could you possibly give me some example code?
0
 
LVL 39

Expert Comment

by:gdemaria
Comment Utility
sure.. you need to be using application.cfc (instead of application.cfm)  

If you're using application.cfm, you just just put the CFIF into your application.cfm file (without the onrequeststart function)

cgi.HTTP_REFERER  - contains the full path of the URL before your page
   ( http://www.google.com/?q=good+%20%Stuff&sdlfk=1&that=dskl )

cgi.HTTP_HOST - contains the domain name on your page
   ( www.mySite.com  or   mySite.com   or   admin.mySite.com  )

So it's testing if the referrer contains your current domain...

Note that if you have different subdomains on your site  (admin.mySite.com and www.mySite.com ) this code will cause the user to login between subdomains and would have to be tweaked..



 <cffunction name="onRequestStart" returnType="boolean" output="Yes">

   <cfargument name="requestname" required=true/>
 

   <cfif NOT cgi.HTTP_REFERER contains cgi.HTTP_HOST>

      <cfset session.loggedIn = false>

   </cfif>

  

 </cffunction

Open in new window

0
 

Author Comment

by:rarid122481
Comment Utility
Cool. Looks like we're getting there. So does this code need a <cfreturn> tag? If so, what does it return? the requestname? I tried that as well but I'm still getting this error...

The value returned from the onRequestStart function is not of type boolean.

If the component name is specified as a return type, its possible that a definition file for the component cannot be found or is not accessible.
0
 
LVL 39

Accepted Solution

by:
gdemaria earned 500 total points
Comment Utility

 Boolean means true or false, so just return true...

  <cfreturn true>
0
 

Author Closing Comment

by:rarid122481
Comment Utility
Yes! It worked when i used structClear(session) instead of . For some reason Coldfusion didn't recognize the loggedIn portion. Thank you very much for your help.



   
 
   
     
   
 
 
 
 
0
 
LVL 39

Expert Comment

by:gdemaria
Comment Utility

<cfset session.loggedIn = false>

This was intended to be an example, just trying to mimic whatever variables you actually use in your session that would log-off the user...

 There is no predefined loggedIn variable..


Glad you're all set !
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now