This content has been marked as final. Show 3 replies
I am having a problem with automatically killing the session variable
upon browser close, IF there are other window open.
Are you sure this is the actual problem? Can you describe exactly what
you are trying to achieve?
I ask because there is a common misunderstanding on how session data on
the server and the cfide/cftoken cookies on the client work. If you
have the cookies set as per-session that are lost when a browser is
closed, this does not actually delete any data on the server. It just
prevents that client from ever accessing the data again. The server
does not know the client has been closed and the cookies deleted. The
client does not provide this information to the server. So all the
server can do is wait for the designated timeout period to see if the
session data will be requested again with the correct id & token, then
it will delete the data.
On the other hand, if you are actually asking how per-session cookies
behave when browsers have multiple windows|tabs open. That I can not
speak to, but I would imagine that it could be significantly different
from browser to browser.
technically, the session does not "die" even after you close the browser
window. the session only dies after it times out after the set timeout
period of no activity (set either in cf admin or in sessiontimeout
attribute of <cfapplication> in application.cfm or this.sessiontimeout
in application.cfc. even if you close all browser windows, the original
session will continue living until it times out.
even if you have other browser windows open, and you wait until the
session timeout, the session will expire.
The problem is with transient cookies. Transient cookies are cookies that are deleted when the browser is closed (and are what are sent when you use J2EE session management or the cfcookie tags you specify). Closing a window of the browser without quitting the program doesn't trigger the deletion of the transient cookies (because the browser itself is still open), therefore you can go back to the site that you think your session is deactivated, when in fact it's still alive and well (assuming you go back before the session timeout period passes).
The other posts regarding session timeout are 100% correct. The browser doesn't notify the server when it closes, so the server still needs to wait for the session to timeout prior to deleting any session variables.
The only way around this would be to only use URL variables to track the session, not cookies.