> I just have to figure out how coldfusion handles a logout
due to the
> expiration of a session when tied to Login Storage, or
expiration of
> Idletimeout, or closing the browser window. All three of
these methods
> give me the same result. Only CFLogout does what it is
suppose to.
> So obviously Coldfusion handles it differently then the
other three.
The key principle is, Coldfusion does not execute the cflogin
tag as long as the user is logged in. And what does it mean for the
user to be logged in? It means the tag cfloginuser ran, plus
Coldfusion has not begun a new session, the current session has not
timed out and coldfusion has not run the cflogout tag.
Coldfusion keeps track by creating a security context for
that client in memory. At every request, it compares what it has in
memory with what the client is passing to it. If there isn't a
match, it logs the user out.
Without the cflogout tag, telling when Coldfusion will log
the client out is not an exact science. In practice, with
loginStorage set to "session", Coldfusion stores login details in
the Session.cfauthorization variable and will use session cookies
to identify the client. If for whatever reason Coldfusion begins a
new session or the session-cookies are erased or changed or the
current session expires, Coldfusion will log the user out. There
are other matters to take into account. One, if Coldfusion is
configured with ordinary (not J2EE) sessions, the browser may close
and reopen, and still maintain the same session. Two, the browser
may reopen a cached page rather than make a new request. Three,
even after a session has ended, Coldfusion might require up to
thirty seconds to delete the session variables.
Matters are straightforward with J2EE sessions and cflogout.
With J2EE sessions, if the browser closes and reopens, its next
request will get Coldfusion to start a new session. Coldfusion then
logs the client out. For either type of session management, the axe
falls when the browser opens a page containing the cflogout tag.
Coldfusion promptly logs the client out.
addendum: with loginStorage set to "session"