14 Replies Latest reply on Feb 3, 2007 10:44 AM by BKBK

    Session Timeouts

    shloime11
      Hi,

      I would like to know, if I set my sessions to timeout after 30 minutes will it timeout for each user after 'they' did no longer use the website, or, only 30 minutes after 'all users' stopped using the site?

      If the answer is that it works for each user individually, then why many times when the user comes back after more than 30 minutes and they are still logged in?

      <cfapplication name="Test"
      clientmanagement="Yes"
      sessionmanagement="Yes"
      setclientcookies="Yes"
      sessiontimeout="#CreateTimeSpan(0,0,30,0)#">

      Any help will be greatly appreciated.

        • 1. Re: Session Timeouts
          Charlie Griefer Level 1
          session variables timeout after 'x' minutes (or hours or days) of inactivity per user.
          application variables timeout after 'x' minutes (or hours or days) of inactivity for all users of an application.

          if your session variables are persisting for longer than specified in your <cfapplication> tag, check the default setting in the CF Administrator. According to the docs, "The Administrator setting also overrides the sessionManagement attribute." (which means if they're set for 30 minutes in the <cfapplication> tag, but 2 hours in the administrator, they'll persist for 2 hours).
          • 2. Re: Session Timeouts
            azadisaryev Level 1
            I am afraid you are a bit wrong on this, CJ. If in CF Admin session timeout is set for 2 hours, and in your application.cfm session timeout is set for 30 min, your session will time out in 30 min. You just can't set session timeout to a larger value in your application.cfm than it is set in CF Admin.
            • 3. Re: Session Timeouts
              Charlie Griefer Level 1
              Azadi:

              Yup. Thanks for the clarification. I was under the impression that the Admin settings always overrode the application-specific settings.

              Found the following by digging deeper in the docs:

              "You can also set the time-out period for session variables inside a specific application (thereby overruling the Administrator default setting) by setting the Application.cfc This.sessionTimeout variable or by using the cfapplication tag sessionTimeout attribute. However, you cannot set a time-out value for that is greater than the maximum session time-out value set on the Administrator Memory Variables page."

              ...which unfortunately means I don't have a good answer for the OP :(
              • 4. Re: Session Timeouts
                BKBK Adobe Community Professional & MVP
                > if I set my sessions to timeout after 30 minutes will it timeout for
                > each user after 'they' did no longer use the website [for 30 minutes]


                Yes. However, you have to set the application timeout and session timeout together. So add the attribute

                applicationtimeout="#CreateTimeSpan(1,0,0,0)#"




                • 5. Re: Session Timeouts
                  shloime11 Level 1
                  quote:

                  Originally posted by: BKBK
                  Yes. However, you have to set the application timeout and session timeout together. So add the attribute

                  applicationtimeout="#CreateTimeSpan(1,0,0,0)#"



                  Are you saying that 'sessiontimeout' will not work without also including 'applicationtimeout'?
                  Do they both need to be set to the same time?
                  If I missunderstood you, please explain.

                  Thanks
                  • 6. Re: Session Timeouts
                    Level 7
                    Are you saying that 'sessiontimeout' will not work without also
                    including 'applicationtimeout'?


                    Not exactly. The session scope(s) are connected to the application
                    scope. Each applications has it own collection of sessions, so if and
                    when a application times out, all associated sessions do as well. So
                    without an application, no session.

                    But you do not necessarily need to define this application timeout in
                    the <cfapplication ...> tag, since there are default timeout time
                    periods defined in the cf administrator. So, if you do not define it,
                    you live with that default, 2 hours in a default CF configuration.
                    • 7. Re: Session Timeouts
                      shloime11 Level 1
                      >Each applications has it own collection of sessions, so if and
                      >when a application times out, all associated sessions do as well. So
                      >without an application, no session.

                      Does this mean that when the application timesout that all session variables are lost. That's not good because this will kill the sessions of all other logged in users. I just want to make sure that this particular user who has been idle for 30 minutes gets logged out.
                      • 8. Re: Session Timeouts
                        Level 7
                        Does this mean that when the application timesout that all session
                        variables are lost. That's not good because this will kill the sessions
                        of all other logged in users. I just want to make sure that this
                        particular user who has been idle for 30 minutes gets logged out.


                        Yes when the Application times out all application and session data for
                        that application are lost. But the application timeout is not
                        associated with a single user but rather all users. For an application
                        to timeout, it must not receive any activity from any user for the given
                        amount of time. Thus in practice it should never timeout before
                        individual user sessions do, unless the timeouts are setup weirdly.

                        If one sets their application timeout to 20 seconds and their session
                        timeout to 2 days, they are probably not going to get desired behavior.
                        After 20 seconds of inactivity by all users, all application and
                        session data in memory for any and all users of the application will be
                        lost.

                        Individual session timeouts will occur when a user has not accessed a
                        given application within the period defined for sessions of that
                        application, 30 minutes in your case. It should be noted that this does
                        not necessarily "log out" a user if that takes some sort of action. At
                        the end of the life of a session, the CFIDE/CFTOKEN codes that identify
                        each user are invalidated and the session data simple ceases to exist in
                        memory.

                        If one wants/needs some sort of action to happen on this event, it is
                        now possible in the latest versions of CF. One can use an
                        application.cfc component and set up an onSessionEnd() function that
                        will fire when sessions timeout and do most any type of action desired.

                        • 9. Re: Session Timeouts
                          Charlie Griefer Level 1
                          an application timeout is -generally- longer than a session timeout. so when/if the application does time out, it's a safe bet that all sessions have since timed out as well.
                          • 10. Session Timeouts
                            BKBK Adobe Community Professional & MVP
                            > Does this mean that when the application timesout that all session
                            > variables are lost. That's not good because this will kill the sessions
                            > of all other logged in users.


                            Shloime11, the words frighten more than they mean. Think, for a moment, of the suggestion of an application timeout of 1 day. It simply means the appication will time out if no one visits your site during a period of one day. If no one has visited the whole day, then there are no logged-in sessions to kill.

                            > I just want to make sure that this particular user who has
                            > been idle for 30 minutes gets logged out.


                            Add the applicationtimeout attribute and you should be all right.




                            • 11. Re: Session Timeouts
                              Aboromo
                              I'm having the same problem on MX7 Enterprise. I have set sessiontimeout to 30 mins and applicationtimeout to 1 day. My server defaults are set as the same thing. My server maximums are set as 60 mins and 1 day respectively. But still my sessions consistently persists even after 70 mins of idle time.

                              I ran some tests with 10 second sessions and they consistently lasted for 19 seconds and sometimes more.

                              Does anyone have a solution?
                              • 12. Re: Session Timeouts
                                BKBK Adobe Community Professional & MVP
                                Do you have J2EE sessions turned on? Is there business in onSessionEnd? Is it locked code? Coldfusion might need extra time to run that or to clear up the session scope.





                                • 13. Re: Session Timeouts
                                  Aboromo Level 1
                                  In my scenario, BKBK, I do not have J2EE sessions turned on. I do not have an onSessionEnd defined. There are no locks.

                                  I've written some code just to test these session lengths. I've tried sessions of 10 seconds, 20 seconds, 5 mins, 10 mins, 20 mins, 40 mins in an isolated environment. Yet, it is still very rare that the sessions expire when they should. Most (over 90% of them) last more than 50% longer than they should. I'm testing on MX 7 Enterprise (don't know if that makes a difference).

                                  For the time being, I've resorted to implementing my own manual session timeouts but this isn't a great long term solution.

                                  Here is my test code:


                                  • 14. Re: Session Timeouts
                                    BKBK Adobe Community Professional & MVP
                                    What if you keep track of times in the application scope instead?