Greetings
I have 3 distinct user types for my app- admins, appraisers and clients.
All have their own directories and each directory has it's own Application.cfm:
1) <cfapplication name="appraiseri"
applicationtimeout="#CreateTimeSpan(0,2,0,0)#"
clientmanagement="Yes"
sessionmanagement="Yes"
sessiontimeout="#CreateTimeSpan(0,2,0,0)#"
SetClientCookies="Yes">
2) <cfapplication name="appraiserview" ......
3) <cfapplication name="clientview" .......
Each have their own login which simply uses their ID in the DB as the session variable.
login_do.cfm:
1) Appraisers: <CFIF auth_direct_appraiser.RecordCount NEQ 0 >
<cfset Session.appraiser_user_id =auth_direct_appraiser.appraiser_ID>
<cfset Session.appraiser_fname =auth_direct_appraiser.appraiser_fname>
<cfset Session.appraiser_lname =auth_direct_appraiser.appraiser_lname>
2) Admins: <cfset Session.user_id =auth_direct.staff_ID> ......
3) Clients: <cfset Session.processor_user_id =auth_direct_processor.processor_ID>
I have had a session persisting for a week now- I have no idea how to get rid of it, and if one simply hits the "login" submit button with no UN or PW, it runs a query on a client (the same one) ?
My logout page is not working at all- if the code were correct, it would clear any session variable? I have not really set an app variable (except timeout) so no need to clear that?
Here is the code:
<CFLOCK SCOPE="Session" TYPE="Exclusive" TIMEOUT="60">
<CFLOOP COLLECTION="#Session#" ITEM="Key">
<CFIF NOT ListFindNoCase('IveSeenIT', Key)>
<CFSET StructDelete(Session, Key)>
</CFIF>
</CFLOOP>
</CFLOCK>
<SCRIPT LANGUAGE="JavaScript">
alert("You have been logged out from the XXXXX Intranet")
location.href='login.cfm';
</SCRIPT>
Any help would be appreciated- this is leaving a huge security gap in the app right now.
Thanks
1
Reply
AdChoices