Copy link to clipboard
Copied
Greetings
I have 3 distinct user types for my app- admins, appraisers and clients.
All have their own directories and each directory has it's own Application.cfm:
1) <cfapplication name="appraiseri"
applicationtimeout="#CreateTimeSpan(0,2,0,0)#"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#CreateTimeSpan(0,2,0,0)#"
SetClientCookies="Yes">
2) <cfapplication name="appraiserview" ......
3) <cfapplication name="clientview" .......
Each have their own login which simply uses their ID in the DB as the session variable.
login_do.cfm:
1) Appraisers: <CFIF auth_direct_appraiser.RecordCount NEQ 0 >
<cfset Session.appraiser_user_id =auth_direct_appraiser.appraiser_ID>
<cfset Session.appraiser_fname =auth_direct_appraiser.appraiser_fname>
<cfset Session.appraiser_lname =auth_direct_appraiser.appraiser_lname>
2) Admins: <cfset Session.user_id =auth_direct.staff_ID> ......
3) Clients: <cfset Session.processor_user_id =auth_direct_processor.processor_ID>
I have had a session persisting for a week now- I have no idea how to get rid of it, and if one simply hits the "login" submit button with no UN or PW, it runs a query on a client (the same one) ?
My logout page is not working at all- if the code were correct, it would clear any session variable? I have not really set an app variable (except timeout) so no need to clear that?
Here is the code:
<CFLOCK SCOPE="Session" TYPE="Exclusive" TIMEOUT="60">
<CFLOOP COLLECTION="#Session#" ITEM="Key">
<CFIF NOT ListFindNoCase('IveSeenIT', Key)>
<CFSET StructDelete(Session, Key)>
</CFIF>
</CFLOOP>
</CFLOCK>
<SCRIPT LANGUAGE="JavaScript">
alert("You have been logged out from the XXXXX Intranet")
location.href='login.cfm';
</SCRIPT>
Any help would be appreciated- this is leaving a huge security gap in the app right now.
Thanks
Copy link to clipboard
Copied
It in unnecessary to delete session keys to invalidate them. With proper coding they should be invalidated once the session times out.
Sessiontimeout values are usually around half an hour and applicationtimeout values are usually of the order of 1 day. Also, one way to relate session to login is to use the loginStorage attribute. If you have no need for client management, switch it off.
Hence, for example,
<cfapplication name="appraiseri"
applicationtimeout="#CreateTimeSpan(1,0,0,0)#"
clientmanagement="no"
sessionmanagement="Yes"
sessiontimeout="#CreateTimeSpan(0,0,30,0)#"
SetClientCookies="Yes"
loginStorage="session">
I am assuming that, for login and logout pages, you will - ignoring the details - have something like
Login:
<cflogin>
<cfloginuser name = "some_name" password = "some_password" roles = "appraiser"/>
</cflogin>
Logout:
<cflogout>