Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I clear session and application variables in Coldfusion 8 when a user browses to another website or pushes the "back" button until she leaves the site completely?

Posted on 2009-04-03
18
Medium Priority
?
1,823 Views
Last Modified: 2013-12-24
How do I clear session and application variables in Coldfusion 8 when a user browses to another website or pushes the "back" button until she leaves my website completely? I have tried several methods but im sure my code is not correct in application.cfc file. I tried the structClear(session) method in the "onApplicationStart" function with no luck. Any help at all would be great. Thanks
0
Comment
Question by:rarid122481
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
  • 2
18 Comments
 
LVL 16

Expert Comment

by:duncancumming
ID: 24063925
onApplicationStart fires once, and that's when the application starts.  i.e. if you restart your CF server, onApplicationStart would fire at the next .cfm request.  Then it wouldn't fire again until the next time you restart CF server.  

Take a look at onSessionEnd instead.  This method fires automatically when a user's session times out.  However I'm not sure that's what you want to do... it's very hard to determine when a user leaves your site.
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=AppEvents_11.html


0
 

Author Comment

by:rarid122481
ID: 24064036
Is there a way to capture whether the user browses to another site with javascript or something similar?
0
 
LVL 16

Expert Comment

by:duncancumming
ID: 24064175
Not that I know of.  Ray Camden and Ben Nadel are probably the two best CF bloggers to read up on this sort of stuff.

0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 39

Expert Comment

by:gdemaria
ID: 24065729
You do not want to clear application variables when a user navigates away.   Application scoped variables are shared by all users.  If you clear them, you clear them for everyone.

The session variables will automatically clear after the session timeout period has passed.    Once the user navigates away from the site, the session will count down the timeout.

If you really need to clear the session variable navigating away from the site, you would have to track the move via javascript and then use ajax to contact the server.  Alternatively, you could clear the CFID and CFTOKEN cookies using javascript, that would orphan the session...

What is your objective?  Perhaps we approach it from what you are trying to accomplish...




0
 

Author Comment

by:rarid122481
ID: 24068448
Once a user logs in, their data is displayed using a session variable called providerid. I dont want the user to be able to leave the site and then come back in and still be logged in before the timeout period has expired. I have the app set up already to when they arent authenticated they are redirected to the login page. I want their permissions to expire instantaneously once they browse to another website. I do not know how to code this using ajax or javascript.
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 24068780
i've read up on this a bit more and see that even on unload (which actually fires at the end of every page)  there is no way to know where the user is going next.   This is built into the browsers for privacy, you can't tell if they are going to your page or another site.

So, the only way to do this is not at all desireable.   Putting a variable on your URL (in every link and every form post) so you have some type of hash or identifier that corresponds with the users current session.  But NOT the session ID itself for security reasons.   If the user leaves the site and navigates back to the site the hash would no longer be on the URL and then you can force the session to end on that validation test.   But if the user clicks BACK button to return to your site, the hash would still be on your URL and it will not end the session.

This method would also make bookmarking the pages of your site impossible because the hash saved in the book mark would be invalid when returning later.  

In short,  a lot of work/code for an unreliable solution
0
 

Author Comment

by:rarid122481
ID: 24074059
Ok. So your first recommendation would not work? Clearing the CFID and CFTOKEN cookies using javascript, that would orphan the session?
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 24074084
It would orphan the session, however, the problem is how do you know when to do it?

You cannot detect when the user is leaving the site, so you cannot know when to clear the cookies.

Therefore, although you can orphan the session, you can't tell when to do it..
0
 

Author Comment

by:rarid122481
ID: 24076785
Ok one more thing. Someone mentioned possibly adding a structDelete(session) in the onRequestStart method in the application.cfc using a HTTP REFER CGI variable. If the url is not my website it could clear the session. Would this be possible and if so how can i code that?
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 24076899
the structure delete would certainly clear the session variables as you'd like them to.   The problem is still when to execute that statement.

OnRequestStart fires at the beginning of a page request , but at the beginning of a request OF YOUR SITE.   It cannot fire when loading the page of a different domain, because, well, it's not your website.  You can't run code on your website when another website is loading in the user's browser.

Using the cgi referrer variable tells you where the user came from, not where he is going (leaving).  So you know how the user got to you, you don't know where he's going when he leaves...

0
 

Author Comment

by:rarid122481
ID: 24077266
That makes sense. So then since the http refer tells where he is coming from, having the session cleared if that url isnt my site sounds like it would work since it is loaded when the user browses and loads a page on my site. If  the user leaves my site and then comes back, and a session is still live in the browser from the previous visit, the onRequestStart is fired on the request of my site page and it seems that it would clear the session. Or I must still be missing something.
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 24077415
right, i didn't think of it that way.   You can kill the session when returning to your page instead of when leaving.  You can't end the session when they leave, but you can end the session when they return.   Depending on your intent, I guess that could be the same thing (or close enough).

That wouldn't really help you when they click the BACK button though.

If you do it this way, you don't have to do anything so drastic as clear the CFID and CFTOKEN, you could simply change your variables to log them out or clear the session variables.  
0
 

Author Comment

by:rarid122481
ID: 24077435
Alright, well thats good enough for me. I'll deal with the back button issue later.  Up to this point i'm not sure how to code the onRequestStart function using the HTTP REFER cgi in this way. Could you possibly give me some example code?
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 24077563
sure.. you need to be using application.cfc (instead of application.cfm)  

If you're using application.cfm, you just just put the CFIF into your application.cfm file (without the onrequeststart function)

cgi.HTTP_REFERER  - contains the full path of the URL before your page
   ( http://www.google.com/?q=good+%20%Stuff&sdlfk=1&that=dskl )

cgi.HTTP_HOST - contains the domain name on your page
   ( www.mySite.com  or   mySite.com   or   admin.mySite.com  )

So it's testing if the referrer contains your current domain...

Note that if you have different subdomains on your site  (admin.mySite.com and www.mySite.com ) this code will cause the user to login between subdomains and would have to be tweaked..


 <cffunction name="onRequestStart" returnType="boolean" output="Yes">
   <cfargument name="requestname" required=true/>
 
   <cfif NOT cgi.HTTP_REFERER contains cgi.HTTP_HOST>
      <cfset session.loggedIn = false>
   </cfif>
  
 </cffunction

Open in new window

0
 

Author Comment

by:rarid122481
ID: 24077686
Cool. Looks like we're getting there. So does this code need a <cfreturn> tag? If so, what does it return? the requestname? I tried that as well but I'm still getting this error...

The value returned from the onRequestStart function is not of type boolean.

If the component name is specified as a return type, its possible that a definition file for the component cannot be found or is not accessible.
0
 
LVL 39

Accepted Solution

by:
gdemaria earned 2000 total points
ID: 24077723

 Boolean means true or false, so just return true...

  <cfreturn true>
0
 

Author Closing Comment

by:rarid122481
ID: 31566398
Yes! It worked when i used structClear(session) instead of . For some reason Coldfusion didn't recognize the loggedIn portion. Thank you very much for your help.



   
 
   
     
   
 
 
 
 
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 24078031

<cfset session.loggedIn = false>

This was intended to be an example, just trying to mimic whatever variables you actually use in your session that would log-off the user...

 There is no predefined loggedIn variable..


Glad you're all set !
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question