This content has been marked as final. Show 3 replies
try adding timeout="#createtimespan()#" into <cflogin> tag. i remember doing it before, but can't remeber if it helped or not...
Actually I had already tried that and it doesn't work either. I just have to figure out how coldfusion handles a logout due to the expiration of a session when tied to Login Storage, or expiration of Idletimeout, or closing the browser window. All three of these methods give me the same result. Only CFLogout does what it is suppose to. So obviously Coldfusion handles it differently then the other three.
> I just have to figure out how coldfusion handles a logout due to the
> expiration of a session when tied to Login Storage, or expiration of
> Idletimeout, or closing the browser window. All three of these methods
> give me the same result. Only CFLogout does what it is suppose to.
> So obviously Coldfusion handles it differently then the other three.
The key principle is, Coldfusion does not execute the cflogin tag as long as the user is logged in. And what does it mean for the user to be logged in? It means the tag cfloginuser ran, plus Coldfusion has not begun a new session, the current session has not timed out and coldfusion has not run the cflogout tag.
Coldfusion keeps track by creating a security context for that client in memory. At every request, it compares what it has in memory with what the client is passing to it. If there isn't a match, it logs the user out.
Without the cflogout tag, telling when Coldfusion will log the client out is not an exact science. In practice, with loginStorage set to "session", Coldfusion stores login details in the Session.cfauthorization variable and will use session cookies to identify the client. If for whatever reason Coldfusion begins a new session or the session-cookies are erased or changed or the current session expires, Coldfusion will log the user out. There are other matters to take into account. One, if Coldfusion is configured with ordinary (not J2EE) sessions, the browser may close and reopen, and still maintain the same session. Two, the browser may reopen a cached page rather than make a new request. Three, even after a session has ended, Coldfusion might require up to thirty seconds to delete the session variables.
Matters are straightforward with J2EE sessions and cflogout. With J2EE sessions, if the browser closes and reopens, its next request will get Coldfusion to start a new session. Coldfusion then logs the client out. For either type of session management, the axe falls when the browser opens a page containing the cflogout tag. Coldfusion promptly logs the client out.
addendum: with loginStorage set to "session"