In CF 10, how to force session to end when browser is closed

[hofar...@houseoffusion.com]

Anyone know how to force the session to end when the browser is closed when using CF 10? In the CF Administrator, go to "Server Settings" -->"Memory Variables" & scroll down to Session Cookie Settings. The Cookie Timeout setting seems to have complete control over the expires attribute for cfid, cftoken. You used to be able to force the session to end (when the browser was closed) by putting this in OnSessionStart: <cfset Cookie.cfid = SESSION.CFID> <cfset Cookie.cftoken = SESSION.CFToken>, which set the Expires attribute to: "When I close my browser". Does not seem to be the case anymore.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351827

[hofar...@houseoffusion.com]

if you do not set any expiry on a cookie it becomes a session cookie and
will die when the browser is closed thus ending the users session.
however this will not kill the session on the server as that
requires something to be sent back to the server to tell it to kill the
session, such as the user logging out, so the session variables will simply
expire as normal, the user simply wont be able to reconnect to that session
again.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351828

[hofar...@houseoffusion.com]

Take a look at CFCOOKIE.

http://cfquickdocs.com/cf9/?getDoc=cfcookie#cfcookie

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351832

[hofar...@houseoffusion.com]

In CF 10 Administrator, go to "Server Settings" -->"Memory Variables" & scroll down to "Session Cookie Settings". The "Session Cookie Settings" have complete control over the expires attribute for cookie.CFID & cookie.CFToken. When you set them like this: <cfset Cookie.cfid = SESSION.CFID> <cfset Cookie.cftoken = SESSION.CFToken> in OnSessionStart, the expires date gets set to the value set in "Session Cookie Settings" (minimum setting is 2 minutes) & this setting cannot be turned off. I tried using 0 and -1 to see if that would disable it from setting the expires attribute (for Cookie.cftoken & cookie.CFToken), it did not. In previous versions of CF, if you did not set the expires attribute when you set cookie.CFID and cookie.CFToken, these cookies would expire when you closed the browser, this is no longer the case for cookie.CFID and cookie.CFToken.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351833

[hofar...@houseoffusion.com]

On Thu, Jul 5, 2012 at 2:26 PM, Byte Me wrote:
> Anyone know how to force the session to end when the browser is closed when using CF 10?

Strictly speaking that is impossible. The session will end a time X
after the last request.

What you can do is make sure the browser discards the cookie that is
used to associate requests to the session. The session on the server
does not disappear, the browser is just no longer associated with it.
The session will only disappear after the session timeout.
To do so, the easiest way is to enable J2EE session variables in your
Administrator.

Jochem


--
Jochem van Dieten
http://jochem.vandieten.net/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351834

[hofar...@houseoffusion.com]

> In CF 10 Administrator, go to "Server Settings" -->"Memory Variables" & scroll down to "Session Cookie Settings". The
> "Session Cookie Settings" have complete control over the expires attribute for cookie.CFID & cookie.CFToken. When
> you set them like this: <cfset Cookie.cfid = SESSION.CFID> <cfset Cookie.cftoken = SESSION.CFToken> in
> OnSessionStart, the expires date gets set to the value set in "Session Cookie Settings" (minimum setting is 2 minutes)
> & this setting cannot be turned off. I tried using 0 and -1 to see if that would disable it from setting the expires attribute
> (for Cookie.cftoken & cookie.CFToken), it did not. In previous versions of CF, if you did not set the expires attribute when
> you set cookie.CFID and cookie.CFToken, these cookies would expire when you closed the browser, this is no longer
> the case for cookie.CFID and cookie.CFToken.

You can still do this, but you have to tell CF not to set the cookies
itself in the first place.

That said, you'd be better off following Jochem's suggestion to use
J2EE sessions instead.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351836

[hofar...@houseoffusion.com]

Can't use j2ee session management, Hostek doesn't enable on my shared server.

<<You can still do this, but you have to tell CF not to set the cookies
itself in the first place>>

I assume you mean to set setClientCookies to no, which I'm already doing as it is part of the procedure for what I have been doing on CF7, then CF8 for the last 7 years. This procedure no longer works.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351837

[hofar...@houseoffusion.com]

<<What you can do is make sure the browser discards the cookie that is
used to associate requests to the session>>

Are you saying that you have a different way to do this than the way I've described above?

Yes, the session remains on the server until it times out, but CF 10 does not allow you to do what you have proposed. I did it in CF7 & 8 (never used 9) for the last 7 years. The procedure I have used for the last 7 years is a valid way to do this, I got it from the Web Application Construction Kit written by Ben Forta & others.

If you have been able to set the cfid & cftoken cookies to expire when the browser closes (with CF10), I would greatly appreciate it if you could pass along the procedure you used. I understand that people are trying to help, but has anyone actually used CF10 to verify the symptoms I've reported? thanks

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351838

[hofar...@houseoffusion.com]

I don't have CF10 installed to confirm, but have you tried re-setting
the cookies without an expires? (e.g. session cookies.)

<cfcookie name="CFTOKEN" value="#cookie.CFTOKEN#"/>
<cfcookie name="CFID" value="#cookie.CFID#"/>

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351839

[hofar...@houseoffusion.com]

Just tried your suggestion, but cfid & cftoken gets set with an expires time based on the "Session Cookie Settings" in the CF10 Administrator (minimum setting is 2 minutes) & that setting cannot be disabled & it cannot be overridden. However, that setting can be overridden by other cookies, such as <cfcookie name="myCookie" value="hello world">, which gets set with expires="When I close my browser".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351840

[hofar...@houseoffusion.com]

> Just tried your suggestion, but cfid & cftoken gets set with an expires time based on the "Session Cookie Settings"
> in the CF10 Administrator (minimum setting is 2 minutes) & that setting cannot be disabled & it cannot be overridden.
> However, that setting can be overridden by other cookies, such as <cfcookie name="myCookie" value="hello world">,
> which gets set with expires="When I close my browser".

There's a checkbox in CF 10 which prevents you from manipulating
session cookies if checked. Uncheck it.

http://www.shilpikhariwal.com/2012/02/how-to-secure-coldfusion-session.html

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351841

[hofar...@houseoffusion.com]

OK, thanks, I will have to read up on this. What a pain it is to upgrade. Heres another link: http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-7ffc.html

I'm not sure why Adobe is still using Application.cfm in there examples, aren't they aware that this was replaced with Application.cfc in Coldfusion 7?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351844

[hofar...@houseoffusion.com]

> I'm not sure why Adobe is still using Application.cfm in there examples, aren't they aware that this was replaced with
> Application.cfc in Coldfusion 7?

Lots of people still use Application.cfm, for various reasons.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351845

[hofar...@houseoffusion.com]

you also need to remember that most people who decide to learn CF do not
know OOP, and CFML was never originally intended for that audience, it
was supposed to be an easy to learn tag based language.
Not everyone wants to use CFC's

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351846

[hofar...@houseoffusion.com]

OK, finally figured it out through trial and error. Did not find (complete) documentation that explained how to do this. Set this in the Application.cfc (beneath the <cfcomponent> tag) <cfset THIS.sessioncookie.timeout = "-1" > and this will cause the cfid & cftoken cookies "Expires" attribute to be set to "When I close my browser". Note: if you are using a shared server & "Disable updating Coldfusion internal cookie using Coldfusion tags/functions" is checked, you can override it by putting <cfset THIS.sessioncookie.disableupdate=false> in the Application.cfc, which gives control back to you, otherwise cfid & cftoke will expire at whatever interval is set in CF Admin. In OnSessionStart, you can set the cookies like this: <cfcookie name="cfid" value="#SESSION.CFID#"> <cfcookie name="cftoken" value="#SESSION.CFToken#"> or like this: <cfset Cookie.cfid = SESSION.CFID> <cfset Cookie.cftoken = SESSION.CFToken>, just make sure you don’t use the expires attribute when setting them.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351847

[hofar...@houseoffusion.com]

>you also need to remember that most people who decide to learn CF do not
>know OOP, and CFML was never originally intended for that audience, it
>was supposed to be an easy to learn tag based language.
>Not everyone wants to use CFC's
>
>
>On Thu, Jul 5, 2012 at 7:00 PM, Dave Watts <dwa...@figleaf.com> wrote:
>
>>

I suppose your right. When I started using Coldfusion (version 7), I used CFC's. I never used/learned Application.cfm. The books I learned it from, Ben Forta's Web Application Construction Kit series, taught CFC's.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351848