6 Replies - 11506 Views - Last Post: 27 January 2011 - 09:16 AM Rate Topic: -----

#1 midasxl  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 193
  • Joined: 03-December 08

End All Coldfusion Session Variables

Posted 25 January 2011 - 08:32 AM

Hello and thanks for your time,

I am trying to kill all session variables in a coldfusion application. Is the following code snippet all I need to do so? I understand this is a typical logout script, but what does it actually do? Do I have to specifically target the sessions variables that I want to end (i.e. session.userId, session.userType, etc.), or will this code block just kill everything?

I plan on this code running when a user clicks a logout button.

<cflock scope="Session" timeout="10" type="exclusive">
      <cfset structclear(session)>
</cflock>



Thanks for any info!

Peace!

Is This A Good Question/Topic? 0
  • +

Replies To: End All Coldfusion Session Variables

#2 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1926
  • View blog
  • Posts: 3,471
  • Joined: 13-January 08

Re: End All Coldfusion Session Variables

Posted 25 January 2011 - 09:10 AM

The short answer is "yes". It will kill all values in that user's session scope...including the special session variables CFID, CFTOKEN and SESSIONID. That said, URLTOKEN persists...and from that you can still infer the CFID and CFTOKEN values. This means that although the values you had stored in the session scope are gone, the session itself still exists. This has implications for people considering using the onSessionend method in Application.cfc.

To be a little more neat about it, consider creating a struct for your user specific data (things you're probably storing in the session scope now individually), store those values in that struct, store that struct in the session scope and then when you log the user out, structClear just that struct from the session. For instance, in one of my apps, I create a "user" struct and drop their userID, userFirst, userLast, userEmail and so on into it...and then drop that into the session. This means that whenever I want to reference the userID, I'd do it by calling session.user.userid rather than session.userid. As an added bonus, this keeps all your user related session data in one place which can be very handy when using CFDUMP and/or debugging.
Was This Post Helpful? 1
  • +
  • -

#3 midasxl  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 193
  • Joined: 03-December 08

Re: End All Coldfusion Session Variables

Posted 25 January 2011 - 10:26 AM

Thank you for your response. It makes sense to me. I like the idea of clearing only the necessary user data rather than the entire session scope. It seems more "neat" as you said, and will probably help to improve performance. Speaking of performance, is StructClear thread safe? Do I need to enclose it in a cflock?

Thanks again!
Was This Post Helpful? 0
  • +
  • -

#4 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1926
  • View blog
  • Posts: 3,471
  • Joined: 13-January 08

Re: End All Coldfusion Session Variables

Posted 25 January 2011 - 02:10 PM

I've not heard anything about structClear not being safe to use. The entire issue with putting locks around session variables is an old one and I believe MX6.0 pretty much laid that one to rest. Used to be you'd need to lock the changing of a session variable value so that a second process didn't try and read it while you were setting it. Anymore, CF handles that on it's own.

About the only condition I can think of where you might want to lock a session variable operation (or any shared scope variable, for that matter) is if your code checks for existence and then has a long create process if it doesn't exist. The theory is that you could have more than one operation run that code bit and have multiple threads tying up resources creating the variable.

But for deleting the struct in the session scope, you should be fine without locks.
Was This Post Helpful? 0
  • +
  • -

#5 midasxl  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 193
  • Joined: 03-December 08

Re: End All Coldfusion Session Variables

Posted 26 January 2011 - 07:52 AM

Very useful information, thanks!

While we are on the subject, I have been bouncing around the internet researching session variables and how they are set and destroyed using ColdFusion session management, and J2EE session management. My confusion lies with what actually happens to the session variables when a user logs out, and when a user simply closes the browser window.

Within my application I have the aforementioned logout button tied to the following logic:

<cflock scope="Session" timeout="10" type="exclusive">  
<cfset structclear(session)>  
</cflock> 



I have learned via this thread that <cflock> is probably not necessary so I will remove that.

I have read that you cannot force a session to end. That can only happen when the server times out or is shut down, correct? So structClear is simply removing the session variables from memory? The session remains but there's nothing in it?

What happens when a user does not use my logout button and simply closes the browser? I am not using J2EE session management, so my session variables do not expires when the browser is closed. Using ColdFusion session management allows the session variables to remain if browser is simply closed.

I have found the following code, which is suggested as an addition to Application.cfc. There's no way to tell if a user closes the browser; the browser does not send anything to the server saying that it's closing. What if the user has multiple tabs open in a single browser?

The following code does not detect a browser close, it only ensures the two main CF cookies are not stored permanently on the users machine. The cookies will expire on the users machine on session end, but the browser does not let the server know when this happens.

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfset cfid_local = Cookie.CFID>
<cfset cftoken_local = Cookie.CFTOKEN>
<cfcookie name="CFID" value="#cfid_local#">
<cfcookie name="CFTOKEN" value="#cftoken_local#">
</cfif>



Any thoughts on this one? Am I doing enough with a simple structClear(session)? I feel like I should be doing more.

Thanks!!
Was This Post Helpful? 0
  • +
  • -

#6 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1926
  • View blog
  • Posts: 3,471
  • Joined: 13-January 08

Re: End All Coldfusion Session Variables

Posted 26 January 2011 - 02:13 PM

View Postmidasxl, on 26 January 2011 - 09:52 AM, said:

I have read that you cannot force a session to end. That can only happen when the server times out or is shut down, correct? So structClear is simply removing the session variables from memory? The session remains but there's nothing in it?


Yes, the session ends when it times out or if the user closes their browser. Your session vars SHOULD expire when you close your browser. This would depend largely on your browser's cookie setting though, I believe. The CF server sets a cookie on the user's browser that contains the CF session ID. This is what allows you track sessions and tell the users apart. If the browser retains the cookie on closing and the user re-accesses your site before the session timeout occurs on the server, they could still be using their original session.

Multiple tabs are treated by CF session management as a single browser. That is, if you access your site on one browser tab and then close it, it would still be available if you accessed the site on another browser tab. The way to see this in action (if you have a Windows OS) is to go into Task Manager and look at the processes you have running. I prefer to use FF3 so this applies directly to that browser. Even if I have a ton of tabs open, I have just one instance of Firefox running and the CF session cookie is set per browser.

Quote

I have found the following code, which is suggested as an addition to Application.cfc. There's no way to tell if a user closes the browser; the browser does not send anything to the server saying that it's closing. What if the user has multiple tabs open in a single browser?

The following code does not detect a browser close, it only ensures the two main CF cookies are not stored permanently on the users machine. The cookies will expire on the users machine on session end, but the browser does not let the server know when this happens.

<cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
<cfset cfid_local = Cookie.CFID>
<cfset cftoken_local = Cookie.CFTOKEN>
<cfcookie name="CFID" value="#cfid_local#">
<cfcookie name="CFTOKEN" value="#cftoken_local#">
</cfif>



Any thoughts on this one? Am I doing enough with a simple structClear(session)? I feel like I should be doing more.


That code block is kind of odd. It checks for the existence of both cookies, then it takes the values from each cookie and then resets the same cookies with the same values. In effect, it's doing squat as far as I can tell aside from perhaps resetting the session timeout maybe. I'm not sure on that but I can't think of any obvious benefit that code would lend as it is.

As for structClear(), yeah, that's probably entirely sufficient for what you're wanting to do. In fact, I'm not sure there's a "stronger" way of closing out the session (at least those parts of it you can control).
Was This Post Helpful? 0
  • +
  • -

#7 midasxl  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 193
  • Joined: 03-December 08

Re: End All Coldfusion Session Variables

Posted 27 January 2011 - 09:16 AM

Quote

That code block is kind of odd. It checks for the existence of both cookies, then it takes the values from each cookie and then resets the same cookies with the same values. In effect, it's doing squat as far as I can tell...


Yeah, I think you're right on that one. I think I'll use the following in the application.cfc instead...

<cfcookie name="CFID" value="empty" expires="NOW">
<cfcookie name="CFTOKEN" value="empty" expires="NOW">



That makes more sense to me.

Ok, you have answered many of my questions and concerns. I feel comfortable with my current application settings. Thanks for sharing your knowledge!

Peace!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1