Session Timeouts

Report · Dec 27, 2006

Hi,

I would like to know, if I set my sessions to timeout after 30 minutes will it timeout for each user after 'they' did no longer use the website, or, only 30 minutes after 'all users' stopped using the site?

If the answer is that it works for each user individually, then why many times when the user comes back after more than 30 minutes and they are still logged in?

<cfapplication name="Test"
clientmanagement="Yes"
sessionmanagement="Yes"
setclientcookies="Yes"
sessiontimeout="#CreateTimeSpan(0,0,30,0)#">

Any help will be greatly appreciated.

Report · Dec 27, 2006

session variables timeout after 'x' minutes (or hours or days) of inactivity per user.
application variables timeout after 'x' minutes (or hours or days) of inactivity for all users of an application.

if your session variables are persisting for longer than specified in your <cfapplication> tag, check the default setting in the CF Administrator. According to the docs, "The Administrator setting also overrides the sessionManagement attribute." (which means if they're set for 30 minutes in the <cfapplication> tag, but 2 hours in the administrator, they'll persist for 2 hours).

Report · Dec 27, 2006

I am afraid you are a bit wrong on this, CJ. If in CF Admin session timeout is set for 2 hours, and in your application.cfm session timeout is set for 30 min, your session will time out in 30 min. You just can't set session timeout to a larger value in your application.cfm than it is set in CF Admin.

Report · Dec 27, 2006

Azadi:

Yup. Thanks for the clarification. I was under the impression that the Admin settings always overrode the application-specific settings.

Found the following by digging deeper in the docs:

"You can also set the time-out period for session variables inside a specific application (thereby overruling the Administrator default setting) by setting the Application.cfc This.sessionTimeout variable or by using the cfapplication tag sessionTimeout attribute. However, you cannot set a time-out value for that is greater than the maximum session time-out value set on the Administrator Memory Variables page."

...which unfortunately means I don't have a good answer for the OP 😞

Report · Dec 28, 2006

> if I set my sessions to timeout after 30 minutes will it timeout for
> each user after 'they' did no longer use the website [for 30 minutes]

Yes. However, you have to set the application timeout and session timeout together. So add the attribute

applicationtimeout="#CreateTimeSpan(1,0,0,0)#"

Report · Dec 28, 2006

quote:

Originally posted by: BKBK
Yes. However, you have to set the application timeout and session timeout together. So add the attribute

applicationtimeout="#CreateTimeSpan(1,0,0,0)#"

Are you saying that 'sessiontimeout' will not work without also including 'applicationtimeout'?
Do they both need to be set to the same time?
If I missunderstood you, please explain.

Thanks

Report · Dec 28, 2006

Are you saying that 'sessiontimeout' will not work without also
including 'applicationtimeout'?

Not exactly. The session scope(s) are connected to the application
scope. Each applications has it own collection of sessions, so if and
when a application times out, all associated sessions do as well. So
without an application, no session.

But you do not necessarily need to define this application timeout in
the <cfapplication ...> tag, since there are default timeout time
periods defined in the cf administrator. So, if you do not define it,
you live with that default, 2 hours in a default CF configuration.

Report · Dec 28, 2006

>Each applications has it own collection of sessions, so if and
>when a application times out, all associated sessions do as well. So
>without an application, no session.

Does this mean that when the application timesout that all session variables are lost. That's not good because this will kill the sessions of all other logged in users. I just want to make sure that this particular user who has been idle for 30 minutes gets logged out.

Report · Dec 28, 2006

> Does this mean that when the application timesout that all session
> variables are lost. That's not good because this will kill the sessions
> of all other logged in users.

Shloime11, the words frighten more than they mean. Think, for a moment, of the suggestion of an application timeout of 1 day. It simply means the appication will time out if no one visits your site during a period of one day. If no one has visited the whole day, then there are no logged-in sessions to kill.

> I just want to make sure that this particular user who has
> been idle for 30 minutes gets logged out.

Add the applicationtimeout attribute and you should be all right.

Report · Dec 28, 2006

Does this mean that when the application timesout that all session
variables are lost. That's not good because this will kill the sessions
of all other logged in users. I just want to make sure that this
particular user who has been idle for 30 minutes gets logged out.

Yes when the Application times out all application and session data for
that application are lost. But the application timeout is not
associated with a single user but rather all users. For an application
to timeout, it must not receive any activity from any user for the given
amount of time. Thus in practice it should never timeout before
individual user sessions do, unless the timeouts are setup weirdly.

If one sets their application timeout to 20 seconds and their session
timeout to 2 days, they are probably not going to get desired behavior.
After 20 seconds of inactivity by all users, all application and
session data in memory for any and all users of the application will be
lost.

Individual session timeouts will occur when a user has not accessed a
given application within the period defined for sessions of that
application, 30 minutes in your case. It should be noted that this does
not necessarily "log out" a user if that takes some sort of action. At
the end of the life of a session, the CFIDE/CFTOKEN codes that identify
each user are invalidated and the session data simple ceases to exist in
memory.

If one wants/needs some sort of action to happen on this event, it is
now possible in the latest versions of CF. One can use an
application.cfc component and set up an onSessionEnd() function that
will fire when sessions timeout and do most any type of action desired.

Report · Dec 28, 2006

an application timeout is -generally- longer than a session timeout. so when/if the application does time out, it's a safe bet that all sessions have since timed out as well.

Report · Jan 05, 2007

I'm having the same problem on MX7 Enterprise. I have set sessiontimeout to 30 mins and applicationtimeout to 1 day. My server defaults are set as the same thing. My server maximums are set as 60 mins and 1 day respectively. But still my sessions consistently persists even after 70 mins of idle time.

I ran some tests with 10 second sessions and they consistently lasted for 19 seconds and sometimes more.

Does anyone have a solution?

Report · Jan 06, 2007

Do you have J2EE sessions turned on? Is there business in onSessionEnd? Is it locked code? Coldfusion might need extra time to run that or to clear up the session scope.

Report · Feb 01, 2007

In my scenario, BKBK, I do not have J2EE sessions turned on. I do not have an onSessionEnd defined. There are no locks.

I've written some code just to test these session lengths. I've tried sessions of 10 seconds, 20 seconds, 5 mins, 10 mins, 20 mins, 40 mins in an isolated environment. Yet, it is still very rare that the sessions expire when they should. Most (over 90% of them) last more than 50% longer than they should. I'm testing on MX 7 Enterprise (don't know if that makes a difference).

For the time being, I've resorted to implementing my own manual session timeouts but this isn't a great long term solution.

Here is my test code:

Report · Feb 03, 2007

What if you keep track of times in the application scope instead?

Adobe Community

Session Timeouts