Session Timeout with code to run

Report · Jul 09, 2009

I have seen this problem asked and addressed on many other furums, but noone has come up with an answere, yet.

I'm trying to log a user out and end their session when they leave my site. How do I know when they leave my site? The only way I know of is to wait a few seconds and, if they don't make a request to the server, they're gone. Log them out.

I have tried simply making a <cfajaxproxy> call to a cfc that just resets their application.sessiontimeout to 5 seconds, but that doesn't work. The session doesn't time out. I need to log the user out and record the logout in a log on the server and a log file (Not my idea. It's the customer's requirement.) I can get the cfc that I call via the <cfajaxproxy> tag to execute the log entries and I could kill the session there, but I need to give the page time to refresh and see if the user requests a page from my site or an outside site. The problem is if I do these things in the cfc ad delay the execution with a counter or dlay loop, the page doesn't unload until the cfc call is finished. So, no matter how long the delay is, the session will already be wiped out bfore the next page loads.

It's the age-old problem of wanting to log out a user when they leave the site, but not having a way to know where the destination page is or the ability to delay a server action while the browser moves on to the next request. If I can get a delay to work, the user can request a page from my site and I can reset the session timeout before it ends. If they go to another site, the session tmes out and they get logged out.

Any help will be GREATLY appreciated. I've spent days on this.

Thanks,

CFGunny

Report · Jul 10, 2009

http://forums.adobe.com/thread/436228

Report · Jul 14, 2009

The solution that I have used is AJAX. I fire off an AJAX request to a coldfusion page that processes the logout. Fire off the AJAX request on Browser close. It fires off and starts processing. You no longer have to worry about it .

For example:

<html>
<head>
    <title>test</title>
    <script>
        function funcUnload(){
            var url = "http://www.yourwebsite.com/pageToClearSession.cfm";
            if (typeof XMLHttpRequest != "undefined") {
                req = new XMLHttpRequest();
            } else if (window.ActiveXObject) {
                req = new ActiveXObject("Microsoft.XMLHTTP");
            }
            req.open("GET", url, true);
        }
    </script>
</head>
<body onunload="javaScript:funcUnload();">
    Body Content Here
</body>
</html>

Report · Sep 19, 2012

I had forgotten all about this post. I know it's very old, but I thought I would post the real answer. The key was that I needed to determine if the user was leaving my site, not just unloading the current page, and log them out if htey left my site. That is actually not possible because there is no way to determine the URL that the browser is going to due to browser security restrictions, so I don't know if it's going to another page on my site or another site. It's a little more involved than just ending a session when the page unloads. I didn't want to log the user off or kill their session every time a page unloaded.

The answer was to write an "onUnload()" script that records the time of the unload and the user's session ID (I actually used our user ID and put it in the database), and write a scheduled task that checks all entries in the database against the current time and logs off any user that has a time greater than, say 30 seconds. In order to keep from logging off all users (running every two minutes with a max time of 30 seconds, all users will return), I wrote a script block in the onRequestStart function in Application.cfc that checks the database for a record for that user and, if the record exists, compares the time in the record to the current time (now()). If the difference is greater than 30 seconds, the record is flagged and, if still logged in, the user is logged out and forced to log in again. This ensures the user is logged out after thirty seconds, since the scheduled task only runs every two minutes. If the time is less than thirty seconds, the user continues without interferance. So, if the user is gone from the site for more than two minutes, the scheduled task takes care of the database and log-out actions. If the user is off-site for over thirty seconds, but less than two minutes, the script in the onRequestStart function does the work.

The thirty second time was a requirement of the customer and gives enough time for the next page to load, even if the user is on a slow network, but is short enough that the user probably didn't go to another site, first. This method also allows for the collection of detailed metrix including user, how often they visit, how long they stay (on each page and an agregate), what URL they came from, etc., as well as the normal on-site metrix like what pages they visited. These metrix became very important to the customer as it was a Federal Government organization and they have to justify their existance every year to get funding for the next year, part of which was my paycheck.

I apologize for not including the code, but I left that project about a year ago and don't have the code, any more. If I did it again, I would probably write it a little differently (cleaner and in CFScript), anyway. I hope this helps somebody.

Adobe Community

Session Timeout with code to run

1 Correct answer