Little bit about coldfusion sessions and general logout code


Hello friends,

I just started working on ColdFusion, and I have some interesting stuffs, that I’d like to share with you.

For any web application, we normally use session for maintaining client’s login/logout activity. Sessions are created on server side, and each session will have some unique id (in ColdFusion, we have ‘sessionid’). It will alive for some time duration, so if successfully logged-in user requests another page during that time, then server will skip checking of authentication.

We’ll see how session and cookie plays roll in that duration. Server sends two variables to client’s browser. Normally it creates cookies, but if cookies are disabled in client’s browser, then it uses URL. Those two variables are CFID and CFTOKEN.

Now let’s do something interesting. Create one login page and one welcome page. Welcome page will only viewable if user successfully logged in. Now you login from one browser and see the cookies. Pass the same cookies in URL for welcome page from another browser or computer (e.g. welcome.cfm?CFID=35473&CFTOKEN=12004479). You’ll be able see welcome page without asking for login!

So those two variables were just a reference to identify your browser! But two most important thing that you shouldn’t forget ever!
1. If you are using any website that provides login (e.g. facebook, gmail) for your activity, then don’t forget to systematically logout from the website.
2. If you are developer then you should handle the sessions carefully.

In ColdFusion there are four standard cookies that are used for session management. More information is here.
So when we code for logout page, we normally remove the user’s session from server. There is an easy way to do this, and it is to use structDelete(session) function.
But it’ll remove the mapping of client’s browser and server. So in future it will not allow you or another user to login from the same browser.

So you should remove all the session items. You can delete all session items except the standard items (CFID, CFToken, URLToken, SessionID).

Here is the code that you might want to have in your logout.cfm page:

<cfsilent>
 <cflock scope=”Session” type=”Readonly” timeout=”20?>
 <cfset variables.sessionItems = “#StructKeyList(Session)#”>
 </cflock>
 <cfloop index=”ListElement” list=”#variables.sessionItems#”>
 <cfif listFindNoCase(“CFID,CFToken,URLToken,SessionID”, “#ListElement#”) is 0 >
 <cflock scope=”Session” type=”Exclusive” timeout=”20?>
 <cfset StructDelete(Session, “#ListElement#”)>
 </cflock>
 </cfif>
 </cfloop>
 <cflocation url=”login.cfm” addtoken=”false”>
</cfsilent>
Advertisements